Categories
Useful Links
Blog Administration
RPZ Action
Sunday, April 5. 2015
The RPZ standard provides many actions, in response to when a trigger is activated. The triggers that are activated can be both from client requests, or the responses from the remote DNS Servers. The actions for these, determine what the requesting client receives back from the DNS Server they are querying. The DNS server can reply with No Domain, No Data for the Domain, Whitelist, and Rewrite record. For BIND 9, there are 2 more actions available Tar-pitting and Quench.
Continue reading "RPZ Action"
RPZ Triggers
Sunday, December 28. 2014
Triggers operate from least specific to most specific
QNAME Trigger
The most common method of triggering RPZ, will be the QNAME Trigger, which is a trigger based on the Domain Name of the requested site. The site can must match exactly except for wildcard matching, which will only replace one level of the domain address. The domain addresses would have the appended to the full address the name of the zone, such as www.domain.com.rpz.zone.
Examples of the domains that would be valid are:
| Domain | RPZ Entry | Matching DNS Query |
|---|---|---|
| www.domain.com | www.domain.com.rpz.zone. | www.domain.com |
| domain.com | domain.com.rpz.zone. | domain.com |
| *.domain.com | *.domain.com.rpz.zone. | www.domain.com subdomain.com |
Examples of the domains that would be invalid are:
| Domain | RPZ Entry | Matching DNS Query |
|---|---|---|
| www.*.com | none | no matching query |
| *sub*.domain.com | none | no matching query |
| www.domain.com | none | no matching query |
| *sub.domain.com | none | no matching query |
Request IP Trigger (rpz-ip)
RPZ can match the returned IP Address for a request from the DNS Server, this could allow for an exception, or to block a site that has many Domain names assigned such as a Virtualhosting company. Part of this format will include the prefix length for the network size, for IPv4 this is a mask between 0 to 32 and 0 to 128 for IPv6 addresses. For IPv6 addresses, you can remove many of the "00" grouping and replace them zz.
| IP Address | Prefix Map | RPZ Entry | Matching DNS Response |
|---|---|---|---|
| 192.168.32.1 | 32 | 32.1.32.168.192.rpz-ip | 192.168.32.1 |
| 192.168.31.3 | 31 | 31.3.31.168.192.rpz-ip | 192.168.31.3 192.168.31.4 |
| 2001:db8:0:1::57 | 128 | 128.57.zz.1.0.db8.2001.rpz-ip | 2001:db8:0:1::57 |
Client IP Trigger (rpz-client-ip)
RPZ may also match the clients IP Address and will process these, designed to block ddos amplifiers or zombied clients, this will complete an action for a specific client, without obeying triggers. This will in effect can prevent a client from resolving any addresses.
| IP Address | Prefix Map | RPZ Entry | Matching Client Address |
|---|---|---|---|
| 192.168.32.1 | 32 | 32.1.32.168.192.rpz-client-ip | 192.168.32.1 |
| 192.168.31.3 | 31 | 31.3.31.168.192.rpz-client-ip | 192.168.31.3 192.168.31.4 |
| 2001:db8:0:1::57 | 128 | 128.57.zz.1.0.db8.2001.rpz-client-ip | 2001:db8:0:1::57 |
Nameserver Domain Name (rpz-nsdname)
RPZ also can provide a method of operating against the hostname of a domain server, and taking an action for any query that comes from a specific DNS Server, and any domains that this server is authoritative for.
| Domain | RPZ Entry |
|---|---|
| ns1.domain.com | www.domain.com.rpz-nsdname |
Nameserver IP Address (rpz-nsip)
RPZ also provide a method of operating against an IP Address of a domain server, and taking an action for any query that comes from a specific DNS Server, and any domains that this server is authoritative for. (Please note in the example 8.8.8.8 is not authortative, so this entry will not work)
| Domain | RPZ Entry |
|---|---|
| 8.8.8.8 | 32.8.8.8.8.rpz-nsip |
Competition entry by David Cummins powered by Serendipity v1.0