This is a very useful feature, not only can it provide a method of blackholing, but also to provide a method of remapping addresses for services hidden behind NAT devices. RPZ has one major limitation, is that there are at least 4 queries for each query that is made. The configuration isn't really that hard, but it's hard to get really good and clear information.
Each Zone file entry for RPZ can be treated as an ordinary zone, but it is recommended that you do not allow the zone to be queried from remote sites, as this would allow for a remote agent to gather information on what is blocked, this is especially useful for directed attacks. For the RPZ zones allowing the file to be transferred to secondary servers this would allow capacity, due to the extra queries that will be made. Doing updates, is useful for fast dynamic changes to the RPZ Zones, including from various public sites, such as http://www.malwaredomains.com/.
options {
/ Other DNS Options /
response-policy {
zone "rpz.zone";
} break-dnssec yes;
};
zone "rpz.zone" IN {
type master;
file "rpz.zone"; check-names ignore;
allow-query { none; }; / This prevents queries for this domain completely /
/* allow-query {localhost;}; Enable this, if you want to test your own services from the DNS Server itself*/
/* allow-update {localhost;}; Enable this, if you want to dynamically update the zone, this makes pushes of changes very easy /
/* allow-transfer { secondaries }; Enable this, if you want to have multiple servers using RPZ services /
/ notify-also { secondaries; }; Enable this, if you are doing transfers /
};
