DNS Firewall – RPZ: a Multi-Layered Solution

Solution Overview:

In summary, DNS Response Policy Zones (RPZ) are a highly effective and critical choke point against ongoing attacks such as ransomware, phishing and malware.  RPZ enables a fast and ubiquitous defense by blocking DNS resolution to known malicious hosts and sites.

RPZ provides a highly valuable first line of defense and an effective approach to stop phishing and malware infections earlier, identifying already infected devices faster and prevent data exfiltration before it happens.  RPZ blocks both incoming and outgoing malicious sources from entering a network.

Response Policy Zones are highly effective at protecting your network and its users from unknowingly or inadvertently accessing malicious websites and hosts… greatly improving protection for your users against malware of many kinds including bots, spyware and other malicious attack vectors.

Your network will be infinitely safer from the risks of malware, phishing, ransomware and spyware. 

How it Works:

If users click on malicious links within phishing emails and inadvertently download malware or ransomware, this can lead to cyber criminals gaining a foothold in the corporate network, allowing them to copy intellectual property; steal, alter or encrypt data for financial gain; install spyware; or add computers to botnets.

Security professionals can mitigate this risk by using Response Policy Zones (RPZs) to block access to known malicious sites by preventing DNS from resolving to malicious domains and IP addresses. This protects users from visiting newly-registered malware dropper sites and bad IP addresses that pose a significant risk.

RPZ Using DNS as Critical Choke Point: Increasing Coverage and Visibility:

DNS Resolvers serve as a critical ‘choke-point’ for which all devices in your network must interact to get to the outside world, and this "choke-point" is a logical choice to input security capabilities. In this sense, RPZ provides a highly valuable defense on multiple layers of your network and a highly effective means to deploy critical cyber threat Intelligence on known or suspect malicious sites (malware, ransomware, bots, etc).

Basically, RPZ turns a recursive DNS server into a DNS Firewall. RPZ arms your DNS Resolver with a highly effective swiss army knife-like filtering mechanism to protect all of your users, all devices, all protocols, all applications... from the associated risks of malware, phishing and ransomware…. preventing both incoming and outgoing malicious sources from entering your network.

Integration and Customizability:

RPZ integrates easily into ISCs BIND (9.8 version or later) DNS resolver software. This gives Network administrators the ability to integrate zones files with realtime threat intelligence directly into their DNS resolver and assign security policy and essentially, respond in a way that matches your situation's needs.

RPZ gives DNS administrators to ability to customize and select the policy according to their own preference (i.e. NXdomain, Domain redirect - customized landing page, walled garden, … among others) With RPZ DNS Admins can also manage their DNS traffic, meaning that the sensitive information and data won’t be passed over to a cloud provider or third party.

Simple to Manage, Easy to Implement

RPZ runs agentless after you have set everything up, and set-up can be accomplished within minutes.

Why it Works: RPZ only as good as the data behind it:

SecurityZONES provides access to the industry’s highest quality RPZ threat feeds, and all are available for Trial. Many organizations prefer to run a Trial in ‘Passive / logging’ mode … to see what would have been blocked.

Keeping you Ahead of the Threat

Both Spamhaus and SURBL RPZ are continuously updated in realtime to incorporate new threats, every sixty seconds. The RPZ data is highly dynamic and highly accurate.

In addition, RPZ uses secure and fast zone transfer for updates (IXFR), which means that only changes to the lists are broadcasted, allowing updates to be propagated to all domain name servers worldwide in a matter of seconds.

This provides network administrators, security professionals and service providers with the most current threat intelligence to protect their networks from being compromised by people clicking on phishing links, or browsing untrustworthy sites.

As soon as the new RPZs are propagated, your network users are unable to connect to listed domains and IP addresses: mitigating the threat from new malicious domains.