RPZ action returned by the Authoritative DNS server. This enables the Caching DNS server to override the In addition, RPZ overrides can be configured on the Caching DNS server. The Caching DNS server RPZ configuration determines which RPZ trigger should be used. If the RPZ rule causes Caching DNS server to rewrite the client response, this data is cached to make future TheĬaching DNS server formulates the correct query name, interprets the query response as an RPZ rule, and applies the rule to
When the Caching DNS server is configured to use RPZ, it queries the Authoritative DNS server to lookup the RPZ rules.
In cases when theįinal answer is determined from the RPZ rule(s), the RPZ zone SOA will be included in the authority section. When using rpz-nsdname and rpz-nsip, the corresponding rule is applied to the original query and will therefore change the answer section. No delegation points will exist at this level andĬaching DNS server relies on finding all the data within the referenced zone. Rpz-ip, rpz-nsdname, and rpz-nsip are just another labels and are not real subdomains or separate zones. The same logic can be applied to blocking name servers using the rpz-nsdname and rpz-nsip labels. Blocking IP addresses and ranges must be done This zone contains all the RRs related to query names which are in block list. The RPZ RR names can take the following forms: Table 1. If using a commercial RPZ provider, the name If the RPZ comes via zone transfer, it must be named the same as at the source. In the zone's Query Settings section, enable the rpz attribute to make it an RPZ zone. to avoid conflict with domain names in the Global DNS space. Or secondary, and the data can either be manually entered or transferred from a third party RPZ provider. We recommend that you create a separate forward zone on the Authoritative DNS server for RPZ. The AuthoritativeĭNS server stores the data for RPZ and the rules, whereas the Caching DNS server takes the client queries and applies these The RPZ firewall rules utilize both the Authoritative DNS and Caching DNS servers to provide the RPZ functionality. Of a trigger (query-name, ip-answers, ns-name, and ns-ip) and a corresponding action. The RPZ and RR dataĬombined with DNS resolver effectively creates a DNS firewall to prevent misuse of the DNS server. The DNS firewall rules can be set up for specially designated zones on the Authoritative DNS server. The other actions and triggers are applied during or afterĬisco Prime Network Registrar supports RPZ. Such as Drop, Refuse, Redirect, and the RPZ query-name trigger take placeīefore regular query processing and therefore take precedence over forwardersĪnd exceptions. When the incoming query matches the DNS firewall rule, the specified action will be taken unless the rule is for redirect-nxdomain.Ī redirect-nxdomain rule takes effect only for incoming queries that would result in an NXDOMAIN response. Redirect-nxdomain-Redirects to a specific A or AAAA address if the queried domain does not exist. Redirect-Redirects A or AAAA queries to the specified IP address. Refuse-Responds with no data and the REFUSED status. You can configure the following actions for these queries: The DNS firewall rule comprises of a priority, an ACL, an action, and a list of domains and takes precedence over exceptionsĪnd forwarders. ToĮnsure that the Caching DNS server redirects queries for non-existing or known bad domains, you can create DNS firewall rules. Resolution of DNS name away from known bad domains or non-existing domainsĮvery query to a Caching DNS server is first verified against the list of DNS firewall rules in the order of priority. Organizations to define lists of FQDNs, IP addresses, subnets and prefixes ofĮnd nodes, and configure rules to secure the network by redirecting the This enables Internet Service Providers (ISP), enterprises, or The domain names, IP addresses, and name servers that are allowed to function