Learn the difference between Response Policy Zones (RPZs) and the Securd DNS Firewall & Web Filtering.
What is a Response Policy Zone (RPZ)?
The DNS Response Policy Zones (RPZ) was invented by ISC. RPZs were first implemented in the BIND DNS server. RPZ is an open and vendor-neutral standard used for exchange of DNS firewall configuration information. RPZs allow security administrators to modify DNS responses on recursive DNS servers in real-time. Based on the information in the RPZ zone file, DNS queries can be made to fail or directed to an alias known as a walled garden.
DNS RPZ works with actions and triggers. Each line in a zone file is a rule. For example, a RPZ rule would be:
phishing.evil.com IN CNAME block.local
When a DNS server processes a query, the DNS RPZ sequentially processes the rules in the zone file. If a match is found, the action triggers. Otherwise, the DNS query processes without interruption.
RPZs Are Intended for Centralized Corporate Networks
RPZs are usually maintained on corporate DNS servers & security appliances to mitigate network threats. RPZs are used to block DNS with phishing, malware, ransomware, and botnet C&Cs. In the past, users would take their device off the network, come back to the site with an infected device, and RPZs would help detect and mitigate the risk of the compromised device. As the modern network is now decentralized and in the cloud, the use of internal DNS and RPZs for security come with a large set of operational security challenges. The most significant challenge administrators face today getting a remote endpoint resolving the DNS services that use the RPZ and delivering block pages without breaking the SSL experience for an end-user.
RPZs Are Just Part of a DNS Firewall Solution
RPZs are a security feature for a DNS server. However, it is not a total DNS firewall solution. Managing DNS filtering comes with a long list of challenges. To start, DNS is always changing. Domains are registered or updated non-stop. Maintaining a block list simply cannot defend against the threats posed by modern malware. RPZs can only defend against known IoCs. However, today’s threat environment requires controls to spot and disrupt unknown malware. Secondly, a DNS firewall has to meet the needs of your business and security strategy. As we describe below, there are a lot of issues to overcome and manage. When it comes to build vs. buy, using a cloud-delivered vendor for a DNS firewall is without doubt the only way to go.
Building & Managing a DNS Firewall
In many cases, the economics and the resource strain on any IT or security department simply cannot justify the time and effort to build, deploy and manage a DNS firewall. If you have more than 50 endpoints to protect at your organization, its not recommended you take this on. Outside of licensing quality threat intelligence RPZ feeds which can get cost prohibitive, we’ve compiled a short list of issues you will have to overcome just to get started.
- DNS server sizing to handle millions of IoCs
- Managing performance impact of new IoCs
- Endpoint authorization and access control
- Management of security policies
- Host name/domain overrides, additions and removals
- Threat-intelligence and block list decay
- NAT IP and DNS target IP policy combinations
- Passive DNS logging
- Passive DNS log enrichment
- Off-network roaming endpoints ie. laptops
- Off-network endpoint protection
- URL blocking on “trusted” domains
- DNS query performance & response times
- End-user block-page notification
- HTTPS connection management