When maintaining a DNS RPZ, how do I disappear a malicious domain name?


The simplest and most common use of a DNS firewall is to poison domain names known to be purely malicious, by simply making them disappear. All DNS RPZ rules are expressed as resource record sets (RRsets), and the way to express "force a name-does-not-exist condition" is by adding a CNAME pointing to the root domain ("."). In practice this looks like:

$ORIGIN rpz.example.com.
malicious1.org          CNAME .
*.malicious1.org        CNAME .
malicious2.org          CNAME .
*.malicious2.org        CNAME .

Two things are noteworthy in this example. First, the malicious names are made relative within the response policy zone. Since there is not a trailing dot following ".org" in the above example, the actual RRsets created within this response policy zone will be, after expansion:

malicious1.org.rpz.example.com.         CNAME .
*.malicious1.org.rpz.example.com.       CNAME .
malicious2.org.rpz.example.com.         CNAME .
*.malicious2.org.rpz.example.com.       CNAME .

Second, both the name being poisoned and also its descendent names, are usually listed. This is because a malicious domain name probably has or might potentially have malicious subdomains.

In the above example, the relative domain names malicious1.org and malicious2.org will match only the real domain names malicious1.org and malicious2.org respectively. The relative domain names *.malicious1.org and *.malicious2.org will match any subdomain.malicious1.org or subdomain.of.malicious2.org respectively.

This example forces a name-does-not-exist condition as its policy action. Other policy actions are also possible.

See also: Building DNS Firewalls with Response Policy Zones (RPZ)