Building DNS Firewalls with Response Policy Zones (RPZ)

A DNS firewall can help you control what domain names, IP addresses and subnets, and name servers are allowed to function on your network. You can build such a firewall using DNS Response Policy Zones (RPZ), which is an open and vendor-neutral standard for the interchange of DNS firewall configuration information. DNS RPZ is a standard feature of BIND 9, and is expected to be supported by other (non-BIND) name servers.

Topics in this section:

• Taking Back the DNS (blog post)
• DNS firewalls and DNS RPZ
• What are the features of the DNS RPZ firewall?
• When maintaining a DNS RPZ, how do I disappear a malicious domain name?
• When maintaining a DNS RPZ, how do I put infected users into a walled garden?
• What if I want to use a simpler walled garden triggered by IP address?
• How can I synchronize DNS RPZ firewall policies across multiple DNS servers?
• How can I protect important business relationships from accidental DNS RPZ firewalling?
• Using DNS RPZ to Deliver DNS Firewall Services
• Known Inconsistency in DNSRPZ’s NSD and NSIP Rules
• DNS Response Policy Zones - Specification - Format 3