Avatar

After delivering several presentations at Cisco Live and Cisco Connect this year, I received a few questions regarding DNS Response Policy Zones (RPZ) and how can they be used to block DNS resolution to known malicious hosts and sites. I decided to write this short post to explain what it is and provide several pointers.

DNS RPZ is a technology developed by ISC available since Bind version 9.8. Network administrators can use DNS RPZ to essentially stop malware-infected hosts from reaching their command and control (C&C) servers by blocking DNS resolution to known malicious hosts and sites. This effectively turns a recursive DNS server into a DNS firewall. In fact, many people refer to DNS RPZ as the “DNS Firewall.” Various ISPs are testing and implementing this to provide additional protection to their customers.

Note: DNS RPZ will block DNS resolution, machines connecting to the C&C via IP address will not be blocked.

The following figure provides an overview of how DNS RPZ works.

RPZ-overview1

In this figure, a client performs a few DNS queries. It first queries for a good domain (example.com) and the corporate server receives the normal DNS response from the upstream DNS server. This client also queries for a malicious domain (malicious-domain.com) and also for a domain called someotherwebsite.com. Enterprises can have their own (local) DNS RPZ to block any other domains/websites that are not allowed because of corporate policies. In this example the corporate DNS server has a local RPZ configured to block “someotherwebsite.com” and it also receives information about “malicious-domain.com” from the external DNS RPZ. There are organizations such as Spamhaus.org and SURBL that provide RPZ services that organizations can subscribe to.

Note: DNS zone transfers can be full transfers (AXFR) and incremental (IXFR). AXFR zone transfers are defined in RFC 5936 and IXFR is defined in RFC 1995.

The “reputation-based” zones, via RPZ responses, will send back either non existent domain (NXDOMAIN) or a pointer to a “walled-garden” where you can point the user to clean up their workstation or direct them through any other specific instructions.

Note: A good friend, Jaeson Schultz, wrote an article titled “Error Correction Using Response Policy Zones: Eliminating the Problem of Bitsquatting” where he explained how to use DNS RPZ to protect against the bitsquatting threat by creating a list of host and domain names that are critical in your environment.

How is DNS RPZ configured?

As previously mentioned, you can configure local RPZ (zones) or subscribe to external providers. If more than one RPZ zone is configured they are checked in the order they are entered. Subsequently,if you want to check your own (local) RPZ rules, make sure that you put yours first then the external RPZ entries.

ISC has several resources that guide you on how to configure DNS RPZ at:
https://deepthought.isc.org/article/AA-00525/0/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html

The following document by Vernon Schryver and Paul Vixie also explains how DNS RPZ is configured:
https://deepthought.isc.org/getAttach/22/AA-00512/rpz.pdf‎

The following are some of the highlights and example configurations from the specification.

You can create a local DNS “walled garden” for a malicious domain and its sub-domains, as follows:

malicious-domain.com CNAME mywalled-garden.example.com.
*.malicious-domain.com CNAME mywalled-garden.example.com.

To configure the RPZ to return NXDOMAIN use the following:

malicious-domain.com CNAME .
*.malicious.domain.com CNAME .

You can also create walled-gardens specifically for mail as follows:

malicious-domain.com MX 0 mywalledgarden-mail.example.com.
malicious-domain.com A 10.1.1.123
*.bad.domain.com MX 0 mywalledgarden-mail.example.com.
*.bad.domain.com A 10.1.1.123

In summary, DNS RPZ is one of the many tools you can use to defend and mitigate your infrastructure by blocking DNS resolution to known malicious hosts and sites. Cyber criminals and miscreants are carrying out malicious activities from disrupting service to actively seeking financial gain. The impact on victims and organizations range from loss of productivity and sometimes a loss in revenue to theft of sensitive information such as credit card numbers, social security numbers, pin codes, and intellectual properties. Organizations must keep up with latest trends on cyber security and how to use the different mitigation techniques as a swiss army knife to protect against such threats.



Authors

Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations