When maintaining a DNS RPZ, how do I disappear a malicious domain name?
The simplest and most common use of a DNS firewall is to poison domain names known to be purely malicious, by simply making them disappear. All DNS RPZ rules are expressed as resource record sets (RRsets), and the way to express "force a name-does-not-exist condition" is by adding a CNAME pointing to the root domain ("."). In practice this looks like:
$ORIGIN rpz.example.com. malicious1.org CNAME . *.malicious1.org CNAME . malicious2.org CNAME . *.malicious2.org CNAME .
Two things are noteworthy in this example. First, the malicious names are made relative within the response policy zone. Since there is not a trailing dot following ".org" in the above example, the actual RRsets created within this response policy zone will be, after expansion:
malicious1.org.rpz.example.com. CNAME . *.malicious1.org.rpz.example.com. CNAME . malicious2.org.rpz.example.com. CNAME . *.malicious2.org.rpz.example.com. CNAME .
Second, both the name being poisoned and also its descendent names, are usually listed. This is because a malicious domain name probably has or might potentially have malicious subdomains.
In the above example, the relative domain names
malicious2.org will match only the real domain names
malicious2.org respectively. The relative domain names
*.malicious2.org will match any
This example forces a name-does-not-exist condition as its policy action. Other policy actions are also possible.