What are the features of the DNS RPZ firewall?


DNS RPZ (Response Policy Zones) is a form of DNS firewall in which the firewall rule sets are expressed within DNS itself in the form of specially constructed DNS zones. DNS RPZ is an open vendor-neutral format for DNS firewall policy which allows a DNS server operator to maintain their own firewall policies and share them with all internal name servers, or to subscribe to external firewall policies such as commercial or cooperative "threat feeds". A name server using DNS RPZ can subscribe to one or more DNS policy rule sets (which are called Response Policy Zones). Each rule in an RPZ rule set is stored in a DNS resource record set (RRset) and consists of a "trigger" and an "action".

In a DNS firewall based on DNS RPZ, each rule can use one of four policy triggers and specify one of four policy actions.

A response policy rule in DNS RPZ can be triggered as follows:

  •         by the query name
  •         by an address which would be present in a truthful response
  •         by the name or address of an authoritative name server responsible for publishing the original response

A response policy action can be one of the following:

  •         to synthesize a "domain does not exist" (NXDOMAIN) response
  •         to synthesize a "name exists but there are no records of the requested type" (NODATA) response
  •         to replace/override the response's data with specific data (provided within the response policy zone)
  •         to exempt the response from further policy processing

The most common use of a DNS firewall is to poison a domain name, IP address, name server name, or name server IP address. Poisoning is usually done by forcing a synthetic "domain does not exist" response. This means if you know a list of known "phishing" domains you could make these names unreachable by your customers or end users just by adding some firewall policy into your recursive DNS server, with a trigger for each known "phishing" domain, and an action in every case forcing a synthetic "domain does not exist" response. Or you could use a data replacement action such as answering for these known "phishing" domains with the name of a local web server that can display a warning page. Such a web server would be called a "walled garden".


Authority name servers can be responsible for many different domains. If you use DNS RPZ to poison all domains served by some authority name server name or authority name server address, the effects will be quite far reaching. You should make sure that such authority name servers do not also serve domains that you might care about.

See also: Building DNS Firewalls with Response Policy Zones (RPZ)