RPZ Action

Dayton's Den


Categories
Useful Links
Blog Administration
< Exim ACL's to reduce the amount of SPAM | Requests for Hyper Transport >

Sunday, April 5. 2015

Posted by Jason Robertson in BIND DNS
Defined tags for this entry: , , , , ,
Related entries by tags:
Last modified on 2015-04-05 18:27

RPZ Action

The RPZ standard  provides many actions, in response to when a trigger is activated. The triggers that are activated can be both from client requests, or the responses from the remote DNS Servers.  The actions for these, determine what the requesting client receives back from the DNS Server they are querying. The DNS server can reply with No Domain, No Data for the Domain, Whitelist, and Rewrite record. For BIND 9, there are 2 more actions available Tar-pitting and Quench.

 

NXDOMAIN (.)

The NXDOMAIN action provides a method of telling the requesting client Address requested has no information at all, this is equivelent of deleting the requested domain from the internet and ceasing all other possible queries.  This allows the client to stop trying to connect the address right away, as it doesn't get an IP Address back from the DNS server.

  • badhost.com.null.rpz        IN    CNAME    .

NODATA (*.)

The NODATA action is different from NXDOMAIN in that it means that the specific requested Resource Record does not exist, but their may be entries for others may exist.  The client may query for other entries because their may be records for other Resource Record types.

  • badhost.com.null.rpz        IN    CNAME    .*

PASSTHRU (rpz-passthru.)

The PASSTHRU action, provides a method of whitelisting a response from a remote DNS Server for this domain.  A good example is to be able to block a Hosting Provider that may have a great deal of malware domains, but also hosts Primary and Secondary DNS services for non-hosted sites, or for mail services.

  • badhost.com.null.rpz        IN    CNAME    rpz-passthru.

TCP-Only (rpz-tcp-only.)

 A TCP-Only action, provides a method of slowing down Denial of Service Attacks.  This can slow down clients from resolving entries, and limit the impact of DNS queries by making each one take longer by forcing the client to make a TCP connection to do the DNS Query.  This can reduce the impact of DNS Amplication attacks because of the added difficulty in spoofing TCP connections.

  • badhost.com.null.rpz        IN    CNAME    rpz-tcp-only.

DROP (rpz-drop.)

A DROP action, does what the name implies, it just drops the query, there's no response, this can limit local and remote clients speed of querying as the server doesn't respond, the UDP session for the DNS Query would be required to timeout, this can cause a remote attacker to run out of free ports to connect.

  • 8.0.0.0.127.rpz-client-ip    CNAME   rpz-drop.

Local-Data (IP address or Alias)

The Local-Data action, basically allows you to rewrite the responding address, this can be used to direct requests to a specific address such as a honeypot to capture the specific data, or to a webpage that might be useful for making sure the client knows that the service was blocked and the reason why, and how to resolve the issue.  It can also be used as part of a Walled Garden configuration.

  • badhost.com.null.rpz        IN    CNAME    www.goodhost.com
  • badhost.com.null.rpz        IN    A        127.0.0.1

Frontpage - Top level