Building DNS Firewalls with Response Policy Zones (RPZ)
A DNS firewall can help you control what domain names, IP addresses and subnets, and name servers are allowed to function on your network. You can build such a firewall using DNS Response Policy Zones (RPZ), which is an open and vendor-neutral standard for the interchange of DNS firewall configuration information. DNS RPZ is a standard feature of BIND 9, and is expected to be supported by other (non-BIND) name servers.
Some useful pages:
- Response Policy Zones (on ISC's website)
- DNS firewalls and DNS RPZ
- What are the features of the DNS RPZ firewall?
- When maintaining a DNS RPZ, how do I disappear a malicious domain name?
- When maintaining a DNS RPZ, how do I put infected users into a walled garden?
- What if I want to use a simpler walled garden triggered by IP address?
- How can I synchronize DNS RPZ firewall policies across multiple DNS servers?
- How can I protect important business relationships from accidental DNS RPZ firewalling?
- Using DNS RPZ to Deliver DNS Firewall Services
- Known Inconsistency in DNSRPZ’s NSD and NSIP Rules
- DNS Response Policy Zones - Specification - Format 3