What is it?

Wikipedia knows.

Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall".

This website is made available to keep up with information about this feature.

Why is RPZ useful?

The prime motivation for creating this feature was to protect users from badness on the Internet related to known-malicious global identifiers such as host names, domain names, IP addresses, or nameservers. Criminals tend to keep using the same identifiers until they are taken away from them. Unfortunately, the Internet security industry's ability to take down criminal infrastructure at domain registries, hosting providers or ISPs is not timely enough to be effective. Using RPZ, a network or DNS administrator can implement their own protection policies base based on reputation feeds from security service providers on a near-real-time basis.

Examples include:

  • If one knows a bad hostname or domain name, one can block clients from accessing it or redirect them to a walled garden.
  • If one know a bad IP address or subnet, one can block clients from accessing hostnames that reference it.
  • If one knows a nameserver that doesn't host anything except bad domains, one can block clients from accessing DNS information hosted by those nameservers.

Policy zones published by a multiple providers (see below) can be checked in order before a normal answer from the global DNS is used. White lists can also be maintained by a local administrator to prevent false positives for key infrastructure.

Pointers to resources

Ecosystem

Send links to webmaster at dnsrpz.info to be added below.

Providers of reputation data (in alphabetical order)

Provider Service
DissectCyber rpzone.us
FarsightSecurity Newly Observed Domains and example
InfoBlox DNS firewall
SpamHaus Several popular block lists are available via RPZ. Data sheet, Article, Pricing
SURBL Data Feed
SWITCH SWITCH DNS Firewall
ThreatStop DNS firewall and announcement
Malware Patrol RPZ Package

Products that can utilize DNS RPZ

Vendor Product Notes
Akamai AnswerX AnswerX Cloud (deployed all over the world) and AnswerX License (rack and stack on Unix or VMs) can pull in multiple RPZ threat feed. Each RPZ threat feed can be applied to multiple “services,” nested workflows, or merged into a master RPZ feed.
BlueCat BlueCat DNS BlueCat provides both their own protection policies for customers as well as the ability for customers to add their own zones. Here is a landing page: BlueCat RPZ.
EfficientIP SolidServer SolidServer allows incorporation of external policies through a GUI
InfoBlox DNS Firewall The DNS engine is based on BIND 9 (with enhancements). Add providers or manage your own list with a GUI. video
ISC BIND 9 RPZ support is included in BIND version 9.8 and later.
CZ.NIC Knot Resolver Partial support in 5.x. More complete implementation in 6.X policy module.
NLnet Labs NLnet Labs Unbound RPZ support is included in Unbound version 1.10 and later.
PowerDNS PowerDNS Recursor 4.0.0 and higher Introduction

Related services

Provider Service
Deteque Has provided integration consulting for some of the DNS RPZ providers above
PIPELINE Security Provides integration, monitoring, and support for dns rpz
SecurityZones Provides product marketing and sales for some of the providers above