The Domain Name Server Response Policy Zone is an open, vendor-neutral standard for the interchange of DNS firewall configuration information. RPZ was developed by the Internet Systems Consortium to fight the abuse of the DNS by groups or individuals with malicious or harmful intent.
RPZ is a standard feature of BIND 9 (Berkeley Internet Name Domain) as of version 9.8.1 and was built upon the Mail Abuse Spam Project, which introduced reputation data as a means of protecting against email spam. Due to the proliferation of criminal activity on the internet, it is difficult for the internet security industry to remove criminal infrastructure at domain registries, hosting providers, or ISPs on a timely basis. So RPZ allows a DNS server (a recursive server) operator or administrator to maintain its own firewall policies and share those policies with all internal name servers. They may also subscribe to external firewall policies, such as commercial or cooperative threat feeds, which are provided and updated on a regular basis (typically several times per day) by security service and reputation data providers.
Through the use of RPZ, administrators can implement their own policies based on reputation data provided through these subscriptions. This allows them to provide near-real-time protection to their users.
RPZ extends the use of reputation data into the DNS by allowing the administrator to essentially rewrite new address information on top of the answer returned by a global DNS in response to a user DNS query. The rewritten information then blocks, redirects, or provides an alternate destination for the query. RPZ stops malware-infected hosts from reaching command and control servers by blocking DNS resolution to known harmful or malicious hosts and sites. This functionality is also known as a DNS firewall.
How It Works
In the simplest sense, RPZ provides a redirect function that overrides the DNS response when a user clicks on a link (on a website or in an email) or enters a website address or IP address that would go to a known bad website or address. This redirect function then either blocks the query or takes the user to an alternative website. RPZ is essentially a filtering mechanism that prevents users from visiting specified internet domains or redirects them to other locations on the internet.
More specifically, the RPZ function allows a DNS recursive server to choose from a set of specific actions for a specified set of domain name data (i.e., zones). The actions that can be taken include:
- allow the query to proceed and send the user to the requested domain (normal behavior);
- return a message that the domain or record type does not exist (NXDOMAIN or NODATA);
- ignore the query and not respond to it;
- return a message that the user should go to a different domain (CNAME);
- automatically reroute the user to a predefined safe website; or
- automatically reroute the user to a predefined alternative location (a walled garden).
Administrators use RPZ by creating an RPZ master file (that clients do not query directly) which lists the bad locations users are not able to access, and then enabling RPZ in BIND. The master file contains the rules, stored in a DNS resource record set (RRset), which consist of a trigger and an action. These triggers and actions then determine the response returned, such as redirecting a user to an alternative website (the action) after entering a known bad website address (the trigger).
Administrators need to be aware that if more than one RPZ zone is configured, the zones are checked in the order they are entered. If the administrator wants his own (local) RPZ rules applied first, he or she must make sure to put those first, then the external RPZ entries.
- NOTE 1: BIND applies the Response Policy only when a server is queried recursively.
- NOTE 2: DNS RPZ will block DNS resolution; machines connecting to command and control servers via a specified IP address will not be blocked.
Why Use RPZ
RPZ is a relatively easy way for network administrators to protect users from navigating to known bad domains, IP addresses, host names, and name servers. RPZs essentially apply a filter to the user query that protects the user from going to a known bad location.
DNS RPZ provides the same capabilities as a DNS block list, but with faster response times and increased scaling. In addition, administrators can combine their own local zone policies with other zone feeds provided by security and reputation data providers for a stronger, more customized protection policy.
Cyber criminals continue to hack and penetrate networks to disrupt service, implant viruses or malicious code, and steal sensitive data and corporate information. A recent study indicates that the averaged annual impact of cyber crime on the enterprise is $15 million. To protect themselves, enterprises must use every tool available.
DNS RPZ is one of many tools that enterprises can use to defend their network infrastructure. By blocking DNS resolution via RPZ to known hostile, malicious and dangerous sites, administrators are able to prevent damage to connected devices and the network, secure the network against data theft, and prohibit misuse of corporate resources.
Richard Hatheway is director of enterprise product marketing at Nokia VitalQIP.
Edited by Alicia Young