How to implement DNS RPZ with Domain Based Reputation Data

Mukund Sivaraman muks at isc.org
Sun Apr 29 03:08:24 UTC 2018


On Sun, Apr 29, 2018 at 08:27:34AM +0530, Blason R wrote:
>  Hi Team,
> Can someone please confirm if below stuff I found pertaining to BIND can be
> implemented with DNS RPZ? If yes can someone please point me to the
> appropriate document?
> Domain Based Reputational Data
> 
> With the release of BIND 9.8.1 a *new* reputational mechanism is available,
> this time for use by DNS resolvers. An organisation is able to receive a
> reputational data feed describing internet domains that have a 'poor'
> reputation. A poor reputation is usually based on the delivery of malware,
> or other forms of nefarious internet activity.
> 
> The ISC have provided an efficient standardised mechanism for the use of
> reputational data by recursive DNS resolvers and have left the provision of
> the reputational data itself to professional organisations that specialize
> in this type of information. Additionally, the response that shall be given
> to a client attempting to resolve a domain which is listed amongst those
> with a 'poor' reputation is left to the local organisation to decide.

This is basically RPZ. "reputational data feed" is basically a response
policy zone. There are feed providers such as Spamhaus, Farsight
Security, etc. E.g., see this:

https://www.spamhaus.org/news/article/669

		Mukund


More information about the bind-users mailing list