What is it?
Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a recursor nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the PowerDNS recursorserver and ISC bind nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall".
Why is RPZ useful?
The prime motivation for creating this feature was to protect users from badness on the Internet related to known-malicious global identifiers such as host names, domain names, IP addresses, or nameservers. Criminals tend to keep using the same identifiers until they are taken away from them. Unfortunately, the Internet security industry's ability to take down criminal infrastructure at domain registries, hosting providers or ISPs is not timely enough to be effective. Using RPZ, a network or DNS administrator can implement their own protection policies base based on reputation feeds from security service providers on a near-real-time basis.
- If one knows a bad hostname or domain name, one can block clients from accessing it or redirect them to a walled garden.
- If one know a bad IP address or subnet, one can block clients from accessing hostnames that reference it.
- If one knows a nameserver that doesn't host anything except bad domains, one can block clients from accessing DNS information hosted by those nameservers.
Policy zones published by multiple providers can be checked in order before a normal answer from the global DNS is used. Whitelists can also be maintained by a local administrator to prevent false positives for key infrastructure.