Response policy zone

Last updated
DNS response modification under policy restrictions Response policy zone (raster).png
DNS response modification under policy restrictions

A response policy zone (RPZ) is a mechanism to introduce a customized policy in Domain Name System servers, so that recursive resolvers return possibly modified results. By modifying a result, access to the corresponding host can be blocked.

Contents

Usage of an RPZ is based on DNS data feeds, known as zone transfer, from an RPZ provider to the deploying server. With respect to other blocklist methods, such as Google Safe Browsing, the actual blocklist is not managed, not even seen, by the client application. Web browsers, and any other client applications which connect to servers on the Internet, need the IP address of the server in order to open the connection. The local resolver is usually a system software which in turn puts the query to a recursive resolver, which often is located at the Internet service provider. If the latter server deploys RPZ, and either the queried name or the resulting address are in the blocklist, the response is modified so as to impede access.

History

The RPZ mechanism was developed by the Internet Systems Consortium led by Paul Vixie as a component of the BIND Domain Name Server (DNS). [1] It was first available in BIND release 9.8.1 released 2010, and first publicly announced at Black Hat in July, 2010. [2] It is also available in the Unbound software as of version 1.14.0. [3]

The RPZ mechanism is published as an open and vendor-neutral standard for the interchange of DNS Firewall configuration information, allowing other DNS resolution software to implement it. [4] [5]

RPZ was developed as a technology to combat the misuse of the DNS by groups and/or persons with malicious intent or other nefarious purposes. It follows on from the Mail Abuse Prevention System project which introduced reputation data as a mechanism for protecting against email spam. RPZ extends the use of reputation data into the Domain Name System.

Function

RPZ allows a DNS recursive resolver to choose specific actions to be performed for a number of collections of domain name data (zones).

For each zone, the DNS service may choose to perform full resolution (normal behaviour), or other actions, including declaring that the requested domain does not exist (technically, NXDOMAIN), or that the user should visit a different domain (technically, CNAME), amongst other potential actions.

As zone information can be obtained from external sources (via a zone transfer) this allows a DNS service to obtain information from an external organisation about domain information and then choose to handle that information in a non-standard manner.

Purpose

RPZ is essentially a filtering mechanism, either preventing people from visiting internet domains, or pointing them to other locations by manipulating the DNS answers in different ways.

RPZ provides the opportunity for DNS recursive resolver operators to be able to obtain reputational data from external organisations about domains that may be harmful, and then use that information to avoid harm coming to the computers that use the recursive resolver by preventing those computers from visiting the potentially harmful domains.

Mechanism and data

RPZ is a mechanism that needs data on which it is to respond.

Some Internet security organisations have offered data describing potentially dangerous domains early in the development of the RPZ mechanism. Others services also offer RPZ for specific domain categories (for example for adult content domains). A recursive resolver operator is also easily capable of defining their own domain name data (zones) to be used by RPZ.

Example of use

Consider that Alice uses a computer which uses a DNS service (recursive resolver) which is configured to use RPZ and has access to some source of zone data which lists domains that are believed to be dangerous.

Alice receives an email with a link that appears to resolve to some place that she trusts, and she wishes to click on the link. She does so, but the actual location is not the trusted source that she read but a dangerous location which is known to the DNS service.

As the DNS service realizes that the resulting web location is dangerous, instead of informing her computer how to get to it (unmodified response), it sends information which leads to a safe location. Depending on how the DNS service configures its policy actions, the modified response can be a fixed page on a web site which informs her of what has happened, or a DNS error code such as NXDOMAIN or NODATA, or send no response at all.

See also

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

BIND is a suite of software for interacting with the Domain Name System (DNS). Its most prominent component, named, performs both of the main DNS server roles, acting as an authoritative name server for DNS zones and as a recursive resolver in the network. As of 2015, it is the most widely used domain name server software, and is the de facto standard on Unix-like operating systems. Also contained in the suite are various administration tools such as nsupdate and dig, and a DNS resolver interface library.

Time to live (TTL) or hop limit is a mechanism which limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded or revalidated. In computer networking, TTL prevents a data packet from circulating indefinitely. In computing applications, TTL is commonly used to improve the performance and manage the caching of data.

A name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identification or addressing component. This service is performed by the server in response to a service protocol request.

Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information.

The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

In computer networking, localhost is a hostname that refers to the current computer used to access it. It is used to access the network services that are running on the host via the loopback network interface. Using the loopback interface bypasses any local network interface hardware.

DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to any computer that the attacker chooses.

<span class="mw-page-title-main">Open Root Server Network</span>

Open Root Server Network (ORSN) was a network of Domain Name System root nameservers for the Internet. ORSN DNS root zone information was kept in synchronization with the "official" Domain Name System root nameservers coordinated by ICANN. The networks were 100% compatible, though ORSN was operated independently. The ORSN servers were primarily placed in Europe. ORSN is also used by public name servers, providing Domain Name System access freely for everyone, without any limitation until the project closed in May 2019. ORSN was primarily started to reduce the over-dependence of Internet users on the United States and Department of Commerce/IANA/ICANN/VeriSign, limit the control over the Internet that this gives, while ensuring that domain names remain unambiguous. It also helps avoid the technical possibility of global "Internet shutdown" by one party. They also expect their network to make domain name resolutions faster for everyone.

This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.

The domain name .local is a special-use domain name reserved by the Internet Engineering Task Force (IETF) so that it may not be installed as a top-level domain in the Domain Name System (DNS) of the Internet. As such it is similar to the other special domain names, such as .localhost. However, .local has since been designated for use in link-local networking, in applications of multicast DNS (mDNS) and zero-configuration networking (zeroconf) so that DNS service may be established without local installations of conventional DNS infrastructure on local area networks.

dnsmasq Lightweight DNS and DHCP server software

dnsmasq is free software providing Domain Name System (DNS) caching, a Dynamic Host Configuration Protocol (DHCP) server, router advertisement and network boot features, intended for small computer networks.

Extension Mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol which had size restrictions that the Internet engineering community deemed too limited for increasing functionality of the protocol. The first set of extensions was published in 1999 by the Internet Engineering Task Force as RFC 2671, also known as EDNS0 which was updated by RFC 6891 in 2013 changing abbreviation slightly to EDNS(0).

<span class="mw-page-title-main">OpenDNS</span> Domain name system provided by Cisco using closed-source software

OpenDNS is an American company providing Domain Name System (DNS) resolution services—with features such as phishing protection, optional content filtering, and DNS lookup in its DNS servers—and a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. The OpenDNS Global Network processes an estimated 100 billion DNS queries daily from 85 million users through 25 data centers worldwide.

In computer networking, split-horizon DNS is the facility of a Domain Name System (DNS) implementation to provide different sets of DNS information, usually selected by the source address of the DNS request.

Google Public DNS is a Domain Name System (DNS) service offered to Internet users worldwide by Google. It functions as a recursive name server. Google Public DNS was announced on December 3, 2009, in an effort described as "making the web faster and more secure." As of 2018, it is the largest public DNS service in the world, handling over a trillion queries per day. Google Public DNS is not related to Google Cloud DNS, which is a DNS hosting service.

A start of authority record is a type of resource record in the Domain Name System (DNS) containing administrative information about the zone, especially regarding zone transfers. The SOA record format is specified in RFC 1035.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

References

  1. Paul Vixie; Vernon Schryver (June 21, 2018). "History and Evolution". DNS Response Policy Zones (RPZ). IETF. sec. 10. I-D vixie-dnsop-dns-rpz.
  2. Andrew Fried; Victoria Risk (9 May 2017). "Tutorial on Configuring BIND to use Response Policy Zones (RPZ)" (PDF). Internet Systems Consortium.
  3. "Response Policy Zones". Unbound Docs. NLnet Labs.
  4. Paul Vixie; Vernon Schryver (December 2010). "DNS Response Policy Zones (DNS RPZ)". Internet Systems Consortium.
  5. "Draft-ietf-dnsop-DNS-RPZ-00 - DNS Response Policy Zones (RPZ)". Ietf Datatracker.