Data exfiltration using DNS RPZ

Vadim Pavlov pvm_job at
Sun Jun 17 16:46:38 UTC 2018


RPZ is just a simple feature to block/log/redirect DNS requests. It doesn't analyse DNS requests & responses and a client behaviour.
So RPZ can block a domain which used for DNS Exfil/Infil/Tunneling but to detect Exfiltration you should to use 3rd party tools/software (e.g. Infoblox Threat Insight).
+ do not forget that "qname-wait-recurse" should be switched off and a RPZ with such domains must be before (e.g. first) by order any zone which contains IP/NS based rules.

> On 17 Jun 2018, at 08:43, Blason R <blason16 at> wrote:
> Hi Team,
> Can someone please guide if DNS exfiltration techniques can be identified using DNS RPZ? Or do I need to install any other third party tool like IDS to identify the the DNS beacon channels.
> Has anyone used DNS RPZ to block/detect data exfiltration?
> _______________________________________________
> Please visit to unsubscribe from this list
> bind-users mailing list
> bind-users at

More information about the bind-users mailing list