BIND 9.8.1 is available and with it, a release quality version of DNS Response Policy Zones (RPZ). As I explain in an earlier post, RPZ is a way to compose a special purpose zone file, a Response Policy Zone (RPZ). In that zone you list domains that your organization's resolvers are forbidden to resolve.
Blacklist Provider Support
Several real-time black list service providers support RPZ including SURBL, Internet Identity, and SpamHaus. Your organization can use feed(s) from one of these organizations to compose your RPZ from trusted lists of maliciously registered domains.
DNS Firewall
Internet Systems Consortium (ISC) promotes RPZ as a DNS Firewall, an additional security widget within a network's existing security architecture. It complements features DNS and content filtering proxies certain Internet firewalls support. A benefit from using RPZ is that your organization can prevent *any* connection from being made to potentially all hosts within a blocklisted domain (as opposed to specific URLs or listed hosts).
ISC is hosting multiple webinars on 12 October 2011 to help DNS operators become more famliar with how to implement RPZ.
Are you wondering how RPZ relates to the recent and ongoing discussion about DNS filtering, notably Protect IP? The relationship is actually quite simple. RPZ is a mechanism you use to enforce a policy for a given administrative domain. In practice, when you make use of a mechanism like RPZ, your organization should act according to the principle of "Do no harm" and take every measure to see that the policy you enforce is appropriate for your organization and is does not interfere nor harm users or organizations over which you have no administrative scope (see this post for details).
Comments
You can follow this conversation by subscribing to the comment feed for this post.