Response policy zone: Difference between revisions
No edit summary |
Undid revision 836165217 by 174.212.12.51 (talk) spam, trivial changes |
||
| Line 2: | Line 2: | ||
{{Technical|date=January 2018|talk=Too technical}} |
{{Technical|date=January 2018|talk=Too technical}} |
||
In computing, a '''response policy zone''' ('''RPZ''') is a mechanism for use by [[Domain Name System]] recursive resolvers to allow |
In computing, a '''response policy zone''' ('''RPZ''') is a mechanism for use by [[Domain Name System]] recursive resolvers to allow customised handling of the resolution of collections of domain name information (zones). |
||
==History== |
==History== |
||
The RPZ mechanism was developed by the [[Internet Systems Consortium]] led by [[Paul Vixie]] as a component of the [[BIND]] Domain Name Server (DNS).{{Cn|date=October 2014}} It was first available in BIND release 9.8.1 released 2010. Windows Server has support since [[Windows Server 2016]].<ref>[https://social.technet.microsoft.com/Forums/windowsserver/en-US/5c41ac0d-63cf-40f0-bb52-3b053c70e443/is-there-any-function-in-windows-server-2012-or-prior-to-do-rpz-dns-responses?forum=winserverNIS Is there any function in Windows Server 2012 or prior to do RPZ DNS responses?]</ref><ref>[http://networkstr.com/domain-dns-blacklisting-sinkhole/microsoft DNS Domain Blacklisting and Sinkhole for Microsoft Server]</ref> |
The RPZ mechanism was developed by the [[Internet Systems Consortium]] led by [[Paul Vixie]] as a component of the [[BIND]] Domain Name Server (DNS).{{Cn|date=October 2014}} It was first available in BIND release 9.8.1 released 2010. Windows Server has support since [[Windows Server 2016]].<ref>[https://social.technet.microsoft.com/Forums/windowsserver/en-US/5c41ac0d-63cf-40f0-bb52-3b053c70e443/is-there-any-function-in-windows-server-2012-or-prior-to-do-rpz-dns-responses?forum=winserverNIS Is there any function in Windows Server 2012 or prior to do RPZ DNS responses?]</ref><ref>[http://networkstr.com/domain-dns-blacklisting-sinkhole/microsoft DNS Domain Blacklisting and Sinkhole for Microsoft Server]</ref> |
||
The RPZ mechanism is published as an open and vendor-neutral standard for the interchange of DNS |
The RPZ mechanism is published as an open and vendor-neutral standard for the interchange of DNS Firewall configuration information, allowing other DNS resolution software to implement it. <ref>[ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt RPZ mechanism]</ref><ref>https://deepthought.isc.org/article/AA-00525/110/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html</ref><ref>https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-rpz/</ref> |
||
RPZ was developed as a technology to combat the misuse of the DNS by groups and/or persons with malicious intent or other nefarious purposes. It follows on from the [[Mail Abuse Prevention System]] project which introduced reputation data as a mechanism for protecting against email [[Spam (electronic)|spam]]. RPZ extends the use of reputation data into the Domain Name System. |
RPZ was developed as a technology to combat the misuse of the DNS by groups and/or persons with malicious intent or other nefarious purposes. It follows on from the [[Mail Abuse Prevention System]] project which introduced reputation data as a mechanism for protecting against email [[Spam (electronic)|spam]]. RPZ extends the use of reputation data into the Domain Name System. |
||
| Line 48: | Line 48: | ||
* [http://www.isc.org/files/imce/DNSRPZ-2011-03-01-Webinar.pdf Slides with more detail (Paul Vixie)] |
* [http://www.isc.org/files/imce/DNSRPZ-2011-03-01-Webinar.pdf Slides with more detail (Paul Vixie)] |
||
* [http://www.spamhaus.org/news/article/669/spamhaus-dbl-as-a-response-policy-zone Spamhaus' RPZ data feed information] |
* [http://www.spamhaus.org/news/article/669/spamhaus-dbl-as-a-response-policy-zone Spamhaus' RPZ data feed information] |
||
* [https://cleanbrowsing.org/articles/rpz-response-policy-zones DNS RPZ Intro] |
|||
[[Category:DNS software]] |
[[Category:DNS software]] |
||
Revision as of 02:10, 13 April 2018
 | This article needs additional citations for verification. (January 2018) |
 | This article may be too technical for most readers to understand. (January 2018) |
In computing, a response policy zone (RPZ) is a mechanism for use by Domain Name System recursive resolvers to allow customised handling of the resolution of collections of domain name information (zones).
History
The RPZ mechanism was developed by the Internet Systems Consortium led by Paul Vixie as a component of the BIND Domain Name Server (DNS).[citation needed] It was first available in BIND release 9.8.1 released 2010. Windows Server has support since Windows Server 2016.[1][2]
The RPZ mechanism is published as an open and vendor-neutral standard for the interchange of DNS Firewall configuration information, allowing other DNS resolution software to implement it. [3][4][5]
RPZ was developed as a technology to combat the misuse of the DNS by groups and/or persons with malicious intent or other nefarious purposes. It follows on from the Mail Abuse Prevention System project which introduced reputation data as a mechanism for protecting against email spam. RPZ extends the use of reputation data into the Domain Name System.
Function
RPZ allows a DNS recursive resolver to choose specific actions to be performed for a number of collections of domain name data (zones).
For each zone, the DNS service may choose to perform full resolution (normal behaviour), or other actions, including declaring that the requested domain does not exist (technically, NXDOMAIN), or that the user should visit a different domain (technically, CNAME), amongst other potential actions.
As zone information can be obtained from external sources (via a zone transfer) this allows a DNS service to obtain information from an external organisation about domain information and then choose to handle that information in a non-standard manner.
Purpose
RPZ is essentially a filtering mechanism, either preventing people from visiting internet domains, or redirecting them to other locations.
RPZ provides the opportunity for DNS recursive resolver operators to be able to obtain reputational data from external organisations about domains that may be harmful, and then use that information to avoid harm coming to the computers that use the recursive resolver by preventing those computers from visiting the potentially harmful domains.
Mechanism and data
RPZ is a mechanism that needs data on which it is to respond.
Some Internet security organisations have offered data describing potentially dangerous domains early in the development of the RPZ mechanism. Others services also offer RPZ for specific domain categories (for example for adult content domains). A recursive resolver operator is also easily capable of defining their own domain name data (zones) to be used by RPZ.
Example of use
Consider that Alice uses a computer which uses a DNS service (recursive resolver) which is configured to use RPZ and has access to some source of zone data which lists domains that are believed to be dangerous.
Alice receives an email with a link that appears to resolve to some place that she trusts, and she wishes to click on the link. She does so, but the actual location is not the trusted source that she read but a dangerous location which is known to the DNS service.
Instead of the DNS service informing her computer how to get to that dangerous web location, it is instead sent information which leads to a safe location which may be a web site which informs her of what has happened.
See also
References
- ^ Is there any function in Windows Server 2012 or prior to do RPZ DNS responses?
- ^ DNS Domain Blacklisting and Sinkhole for Microsoft Server
- ^ RPZ mechanism
- ^ https://deepthought.isc.org/article/AA-00525/110/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html
- ^ https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-rpz/