RPZ / DNS Firewall

Response Policy Zone

RPZ – Response Policy Zone

‘DNS Firewall’

What is DNS RPZ?

RPZ allows the ability to block resolution of known, bad domain at the DNS Resolver / lookup. 

DNS RPZ – provides a filtering mechanism, to first check if the domain is known to be bad and if it is a known bad site, DNS RPZ can enforce policy to protect user from visiting the malicious website through blocks, warning messages and quarantine. 

Turn your DNS Caching Resolver into a tool to help protect your network from malware

  • Does for DNS resolvers what RBL does for mail servers
  • Providing the same capabilities of an anti-spam DNSBL (RBL) ….but with greater degrees of scaling and speed.
  • Critical Choke Point - Any user attempting to use the Internet, will do DNS lookup.  Any protocol, and application, any access method.
  • Elegant way to deploy dynamic threat intelligence
  • Customizable, and highly dynamic.
  • Deploy DNS RPZ datafeeds, add your own data and your own whitelist

Similar in concept to an DNSBL but designed specifically for DNS lookups with far greater coverage

Why Use DNS RPZ:

All the computers in your network must contact your DNS Resolvers to get to the outside world. Your DNS Resolvers are critical ‘choke-point’ for which all devices in your network must interact to get to the outside world. This "choke-point" is a logical choice to put security capabilities to check if a domain is "clean" or "dirty."

DNS RPZ uses secure and fast zone transfer technologies to pull down black list of bad domains and  put them into your DNS resolver.  Domain data is updated every 1-2 minutes, automatically.  Agentless, AutoUpdates, customizable policy.  A highly effective means to deploy critical cyber threat intelligence across all your users and  applications - to protect all your users from visiting known bad sites - mitigate malware, phishing, and botnets.

RPZ (Response Policy Zone) Service Description:

Response Policy Zones (RPZ), also known as a "DNS firewall," are highly effective at protecting your network and its users from unknowingly accessing malicious websites and hosts… greatly improving protection for your users against malware of many kinds including bots, spyware and other malicious attack vectors

Response Policy Zones (RPZs) allow DNS administrators selectively to block access to malicious sites by preventing the DNS from resolving to malicious domains and IP addresses. This protects users from visiting known malicious sites such as newly-registered malware dropper sites and known bad IP addresses (that pose a significant risk, but have not yet been added to block lists).

Spamhaus' RPZ Feeds contain tens (hundreds) of thousands of domains known to be suspect. The Spamhaus Response Policy Zone data are updated with new threats every sixty seconds of every day.

This data is updated very rapidly by broadcasting only changes to the list rather than the full list. This means that the frequent updates generally take less than a second to propagate, effectively mitigating threats in near real time.

What happens…?

When users attempt to access websites a five-step process takes place:

  1. The user clicks on a link, or enters the URL of the site they want to reach into their browser
  2. A DNS resolver queries the local DNS server for a record
  3. The DNS server finds a matching IP address. The Berkeley Internet Name Domain (BIND) is a popular open source software used to translate domain names into IP addresses.
  4. The DNS server returns the IP address to the DNS resolver
  5. The user's web browser now contacts the website using its IP address.

If users click on malicious links within phishing emails and inadvertently download malware or ransomware, this can lead to cybercriminals gaining a foothold in the corporate network, allowing them to copy intellectual property; steal, alter or encrypt data for financial gain; install spyware; or add computers to botnets. In the worst case scenario, a user clicking on a phishing link could lead to complete compromise of the corporate network

RPZ also helps to prevent data loss by disrupting communications between C&C servers and infected botnet nodes on your network.

What RPZ Feeds are Available?

The following RPZ Threat Feeds, are available from SecurityZones

  1. Composite zone which includes malware, phishing, botnet domains, etc
  2. Individual zones are available, categorized as follows
    - Phishing
    - Malware
    - Botnet
    - Spam / Abuse

These threat feeds are the industry’s highest quality RPZ, and all are available for Trial.   Many organizations prefer to run a Trial in ‘Passive / logging’ mode … to see what would have been blocked.  

PH - Phishing sites

“Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials.”

Phishing data from multiple sources are included in the PH Phishing data zone.  Phishing data are gathered from numerous sources, vetted, filtered and provided here as an accurate and effective list of current, active phishing domains.

MW - Malware sites

Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Malware data from numerous sources are delivered in the MW data zone. The MW data includes highly dangerous domains, which are highly recommended not be accessed. 

Some cracked hosts are also included in MW since many cracked sites also have malware.

How do I deploy, what platforms, is it Customizable… ?

RPZ is native in several of the industry’s leading DNS platforms, including: 

  • BIND V9 (or greater)
  • Power DNS

Numerous appliance vendors have enabled RPZ as well, including:

  • Infoblox
  • Efficient IP
  • BlueCat

We can assist with technical setup and implementation questions.  Technical implementation guides are also available.