BIND DNS

The RPZ standard  provides many actions, in response to when a trigger is activated. The triggers that are activated can be both from client requests, or the responses from the remote DNS Servers.  The actions for these, determine what the requesting client receives back from the DNS Server they are querying. The DNS server can reply with No Domain, No Data for the Domain, Whitelist, and Rewrite record. For BIND 9, there are 2 more actions available Tar-pitting and Quench.

Triggers operate from least specific to most specific

QNAME Trigger

The most common method of triggering RPZ, will be the QNAME Trigger, which is a trigger based on the Domain Name of the requested site. The site can must match exactly except for wildcard matching, which will only replace one level of the domain address.  The domain addresses would have the appended to the full address the name of the zone, such as www.domain.com.rpz.zone.

Examples of the domains that would be valid are:

Examples of the domains that would be invalid are:

Request IP Trigger (rpz-ip)

RPZ can match the returned IP Address for a request from the DNS Server, this could allow for an exception, or to block a site that has many Domain names assigned such as a Virtualhosting company.  Part of this format will include the prefix length for the network size, for IPv4 this is a mask between 0 to 32 and 0 to 128 for IPv6 addresses.  For IPv6 addresses, you can remove many of the "00" grouping and replace them zz.

Client IP Trigger (rpz-client-ip)

RPZ may also match the clients IP Address and will process these, designed to block ddos amplifiers or zombied clients, this will complete an action for a specific client, without obeying triggers.  This will in effect can prevent a client from resolving any addresses.

Nameserver Domain Name (rpz-nsdname)

RPZ also can provide a method of operating against the hostname of a domain server, and taking an action for any query that comes from a specific DNS Server, and any domains that this server is authoritative for.

Nameserver IP Address (rpz-nsip)

RPZ also provide a method of operating against an IP Address of a domain server, and taking an action for any query that comes from a specific DNS Server, and any domains that this server is authoritative for. (Please note in the example 8.8.8.8 is not authortative, so this entry will not work)

This is a very useful feature, not only can it provide a method of blackholing, but also to provide a method of remapping addresses for services hidden behind NAT devices.  RPZ has one major limitation, is that there are at least 4 queries for each query that is made.  The configuration isn't really that hard, but it's hard to get really good and clear information.

Each Zone file entry for RPZ can be treated as an ordinary zone, but it is recommended that you do not allow the zone to be queried from remote sites, as this would allow for a remote agent to gather information on what is blocked, this is especially useful for directed attacks.  For the RPZ zones allowing the file to be transferred to secondary servers this would allow capacity, due to the extra queries that will be made.   Doing updates, is useful for fast dynamic changes to the RPZ Zones, including from various public sites, such as http://www.malwaredomains.com/.