Closing the loop with Response Policy Zones
Response policy zones (RPZs) provide an invaluable mechanism for closing the loop when malicious domain names are identified in Passive DNS data. RPZs are DNS zones whose contents are interpreted as rules. Those rules typically say things such as, “If anyone tries to look up A records for this domain name, return an error saying that domain name doesn’t exist.” Because RPZs are simply zones, they can be transferred around the Internet quickly and efficiently, and the policies they contain promptly enforced. Organizations that analyze Passive DNS data to identify malicious domain names can construct rules blocking resolution of those names and distribute them to subscribers around the Internet.
If you’re interested in contributing Passive DNS data from your recursive name servers, Farsight provides information on how to participate, including a step-by-step guide to setting up a Passive DNS sensor. You can also add RPZ feeds based on the analysis of Passive DNS data to help block the resolution of malicious domain names within your organization.
Cricket Liu is Infoblox's Chief DNS Architect and a Senior Fellow. He works with Infoblox customers to ensure their DNS implementations are robust and secure. He is a co-author of "DNS and BIND," one of the best-known books on the DNS.
Sign up for CIO Asia eNewsletters.