NXDOMAIN (.)
The NXDOMAIN action provides a method of telling the requesting client Address requested has no information at all, this is equivelent of deleting the requested domain from the internet and ceasing all other possible queries. This allows the client to stop trying to connect the address right away, as it doesn't get an IP Address back from the DNS server.
- badhost.com.null.rpz IN CNAME .
NODATA (*.)
The NODATA action is different from NXDOMAIN in that it means that the specific requested Resource Record does not exist, but their may be entries for others may exist. The client may query for other entries because their may be records for other Resource Record types.
- badhost.com.null.rpz IN CNAME .*
PASSTHRU (rpz-passthru.)
The PASSTHRU action, provides a method of whitelisting a response from a remote DNS Server for this domain. A good example is to be able to block a Hosting Provider that may have a great deal of malware domains, but also hosts Primary and Secondary DNS services for non-hosted sites, or for mail services.
- badhost.com.null.rpz IN CNAME rpz-passthru.
TCP-Only (rpz-tcp-only.)
A TCP-Only action, provides a method of slowing down Denial of Service Attacks. This can slow down clients from resolving entries, and limit the impact of DNS queries by making each one take longer by forcing the client to make a TCP connection to do the DNS Query. This can reduce the impact of DNS Amplication attacks because of the added difficulty in spoofing TCP connections.
- badhost.com.null.rpz IN CNAME rpz-tcp-only.
DROP (rpz-drop.)
A DROP action, does what the name implies, it just drops the query, there's no response, this can limit local and remote clients speed of querying as the server doesn't respond, the UDP session for the DNS Query would be required to timeout, this can cause a remote attacker to run out of free ports to connect.
- 8.0.0.0.127.rpz-client-ip CNAME rpz-drop.
Local-Data (IP address or Alias)
The Local-Data action, basically allows you to rewrite the responding address, this can be used to direct requests to a specific address such as a honeypot to capture the specific data, or to a webpage that might be useful for making sure the client knows that the service was blocked and the reason why, and how to resolve the issue. It can also be used as part of a Walled Garden configuration.
- badhost.com.null.rpz IN CNAME www.goodhost.com
- badhost.com.null.rpz IN A 127.0.0.1