Jump to content

Response policy zone

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Yesxorno (talk | contribs) at 13:08, 6 September 2012 (Mechanism and Data). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.


RPZ (Response Policy Zone) is a mechanism for use by Domain Name System recursive resolvers to allow customised handling of the resolution of collections of domain name information (zones).


History

The RPZ mechanism was developed by Internet Systems Consortium lead by Paul Vixie as a component of BIND. It was first available in BIND release 9.8.1 released 2010 CE.

The RPZ mechanism is published, allowing other DNS resolution softwares to implement the mechanism. It is currently a draft internet standard [1].

RPZ was developed as a technology to combat the use of the DNS by groups and/or persons with malign purposes. It follows on from the Mail Abuse Prevention System project which introduced reputational data as a mechanism for protecting against Spam_(electronic).

RPZ extends the use of reputational data into the Domain Name System.

Function

RPZ allows a DNS recursive resolver to choose specific actions to be performed for a number of collections of domain name data (zones).

For each zone, the DNS service may choose to perform full resolution (normal behaviour), or other actions, including declaring that the requested domain does not exist (technically, NXDOMAIN), or that you should visit a different domain (technically, CNAME), amongst other potential actions.

As zone information can be obtained from external sources (via a zone transfer) this allows a DNS service to obtain information from an external organisation about domain information and then choose to handle that information in a non-standard manner.

Purpose

RPZ is essentially a censorship mechanism, either preventing people from visiting internet domains, or redirecting them to other locations.

RPZ provides the opportunity for DNS recursive resolver operators to be able to obtain reputational data about domains that may be harmful from external organisations and then use that information to avoid harm coming to the computers that use the recursive resolver by preventing those computers from visiting the potentially harmful domains.

Mechanism and Data

RPZ is a mechanism that needs data on which it is to respond.

Some internet security organisations have offered data describing potentially dangerous domains early in the development of the RPZ mechanism.

They include:

A recursive resolver operator is also easily capable of defining their own domain name data (zones) to be used by RPZ.

Example of Use

Consider that Alice uses a computer which uses a DNS service (recurise resolver) which is configured to use RPZ and has access to some source of zone data which lists domains that are believed to be dangerous.

Alice receives an email with a link that looks to resolve to some place that she trusts, and she wishes to click on the link. She does so, but the actual location is not the trusted source that she read but a dangerous location which is known to the DNS service.

Instead of the DNS service informing her computer how to get to that dangerous web location, it is instead sent information which leads to a safe location which may be a web site which informs her of what has happened.

See also

References