Integrate Blacklisting in your Own DNS Server

Keep Out!When you are connected to a network (Internet or private), your TCP/IP stack must know which DNS server(s) use to resolve host names into IP addresses.

For a while, publicly alternative DNS servers – like OpenDNS or Google DNS – implemented a blacklist protection mechanism. If a domain is suspected of delivering malicious content such as malwares, those services redirect you to special warning pages or alternative sites. This action is performed at DNS level. Basically, it’s a good initiative but some problems may arise.

First, DNS is a critical service on your network. Can you really trust an external server? By using an external DNS server, you allow 3rd parties to redirect your traffic to unwanted servers. Second, in a corporate environment, it is normally not permitted to use external DNS servers. Finally, you maybe don’t need a full bullet-proof blacklist but you just need a quick way to block malicious or unwanted sites.

Why not implement a home-made solution? If you operate your own DNS servers, ISC announced a solution for you: DNS RPZ or “Response Policy Zone“. How does it work? If you maintain a Bind server  to perform recursive queries, it may be configured with a rule to forbid specific domain name (it won’t resolve them). The goal is to link your DNS with a good reputation provider which will provide the rules. The support of RPZ is provided for Bind 9 via a patch. Once patched, your Bind will recognize the new option called “response-policy”:

    options {
        // Enable RPZ
        response-policy { zone ""; };

Honestly, if you get Response Policy Zones from an external partner, you don’t solve the trust issue explained above, you just moved it! But those zones are transferred like any zone using standard protocols (AXFR). It could be possible to review them.

RPZ is not a brand new blacklist technology. To prevent users to visit some sites for multiple reasons (corporate policy, malware protection, children protection, …), two methods are used: at application level (via a proxy + content filtering) or at DNS level. RPZ can be an interesting in this case with a reduced time to implement a new blacklist entries. It will also consume less resources.

Finally, don’t forget that RPZ could be used at the 8st layer of the ISO model: the “political layer“. Censorship could easily occur with RPZ implemented in ISP’s or Government name servers!