RPZ Definition

RPZ (Response Policy Zones) is one of the DNS filtering functions for preventing connection to specific nodes such as phishing sites and malware distribution sites.

There are various ways to prevent connections to specific websites. One of the defenses using DNS is to return another response instead of the initial response to the DNS query for a particular domain name.

  • As a method of implementing this. It has been known in the past to have a zone for the target domain name. And describe the change of the record in the zone information.
  • However, the procedure tends to be complicated. Such as the need to change the resolver settings each time a new domain name is added or deleted. Or the need to configure each server if it uses multiple resolvers. There is a problem.
  • RPZ was devised to solve this problem. In RPZ, it creates only one zone or the number of operation policies and describes multiple target domain names and records in that zone.
  • By doing so. RPZ does not need to prepare a zone for each domain name or change the settings, making operation easier.
  • Besides, the use of normal zone transfer can be for the use of the zone in RPZ. This makes it easy to receive blacklists of malicious domain names from security providers and use them to prevent connection.

How does RPZ work?

  • An RPZ zone is a standard DNS zone (the distribution of it is by the usual DNS mechanisms. Such as the transfer of zones from RFC 5936 ), containing rules to give on the responses. The rules can relate to the request (blacklist all fields in send-me-spam.bizor illegal-gambling.cn) or the response.

Advantages and Disadvantages

  • The use of RPZ can be for good or for bad and Vixie did not fail to warn the critics by exposing itself all the faults and risks of RPZ.
  • The advantages are the ability to block, for example, phishing domains (or unnecessary and dangerous commercial domains as google-analytics.comin the example below).
  • The disadvantages are the use of censorship. but also (point pointed out, and rightly so, by Vixie) the less resilience of the DNS due to the introduction of a new component.
  • We can imagine in advance the next big bug. An RPZ provider blocks everything *.frby mistake and all ISPs automatically apply this rule.