DNS firewalls and DNS RPZ

Why use a DNS firewall?

Crime and network abuse on the internet use the Domain Name System (DNS), thus protection against these threats should include DNS firewalling. A DNS firewall can selectively intercept DNS queries for known network assets including domain names, IP addresses, and name servers. Interception can mean rewriting a DNS response to direct a web browser to a "walled garden", or simply making any malicious network assets invisible and unreachable.

What can a DNS firewall do?

Firewalls work by applying a set of rules to a traffic flow, where each rule consists of a trigger and an action. Triggers determine which messages within the traffic flow will be handled specially, and actions determine what that special handling will be. For a DNS firewall, the traffic flow to be controlled consists of responses sent by a recursive DNS server to its end user clients. Some true responses are not safe for all clients, and so the policy rules in a DNS firewall allow some responses to be intercepted and replaced with safer content.

How do I create and maintain my DNS firewall policy rule set using DNS RPZ?

In a DNS RPZ firewall, the policy rule set is contained in a DNS "zone," which can be transferred using normal "zone transfer" mechanisms. The master copy of your DNS firewall policy can be a DNS "zone file" which you either edit by hand, or which you generate from a database. You can also edit a DNS zone indirectly using DNS dynamic updates (for example, using the "nsupdate" shell level utility).

See also: Building DNS Firewalls with Response Policy Zones (RPZ)