DNS Response Policy Zone dss(DNSRPZ).ppt

ssuser195cee 13 views 13 slides Mar 05, 2025

Slide 1 of 13

About This Presentation

DNS Response Policy Zone �(DNSRPZ)

Size: 824.97 KB

Language: en

Added: Mar 05, 2025

Slides: 13 pages

Slide Content

DNS Response Policy Zone
(DNSRPZ)
BIND’s New Security Feature: the "DNS Firewall"
Barry Raveendran Greene & Vernon Schryver
[email protected]
Version 1.1

Logistics
•This presentation can be downloaded from
the Webinar recording and from ISC’s
Knowledge Base:
http://deepthought.isc.org
•ISC updates, presentations, and materials
can be followed on:
Facebook - http://www.facebook.com/InternetSystemsConsortium
Twitter - ISCdotORG
Linkedin - http://www.linkedin.com/company/internet-systems-consortium
RSS via our Website

Our Goal – Take Back DNS
DNS works as well for the bad guys
(criminals, spammers, spies) as for
respectable citizens. The bad guys are
taking better advantage of DNS's resiliency
and distributed autonomy.
Something has got to be done!
ISC is acting:
Act I – Massive Passive DNS Deployment
Act II - DNSRPZ

Agenda
•The DNSRPZ Quick Talk
•Why do we need DNSRPZ?
•More Details
•DNSRPZ Providers

Gratitude
•Paul Vixie and Vernon Schryver for all the heavy
lifting to make DNSRPZ happen.
•ISC’s BIND Engineering Team – for integrating this
new feature so quickly.
•Eric Ziegast - my partner in explaining DNSRPZ to
people.
•For the new DNSRPZ Providers:
Simon Forster [email protected]
Arnie Bjorklund [email protected]
Rod Rasmussen [email protected]
•Johanna Mansor who helped put this together so
quickly.

DNSRPZ Quick Talk

DNS Response Policy Zone (DNS
RPZ)
•DNS RPZ is policy information inside a specially
constructed DNS zone.
•This enables DNS reputation data producers and
consumers to cooperate in the application of such
policy to real time DNS responses.
•DNS RPZ turns the recursive DNS server into a
security hammer …
Provide the same capabilities of an anti-spam DNSBL
(DNS Block List, ne RBL) and RHSBL (Right Hand Side
Block List)….
… with greater degrees of scaling and speed.

Core DNS Principles
Master/
Primary
DNS
Slave/
Secondary
DNS
Caching
Resolver
DNS
.org
isc.org
sie.isc.org
A
X
F
R
T
S
I
G
I
X
F
R
T
S
I
G
AXFR - Full Zone Transfers
IXFR - Incremental Zone Transfers
TSIG - Transaction SIGnature
used to secure the AXFR/IXFR
What is the IP for
www.isc.org?
Who is in charge of isc.org?
www.isc.org is 149.20.64.42
.root

Caching
Resolver
DNS
.org
isc.org
sie.isc.org
What is the IP for
www.isc.org?
www.isc.org is 149.20.64.42
.root
DNS RPZ
Master DNS
RPZ
AX
FR
IX
FR
What is the IP for
www.isc.org?
Who is in charge of isc.org?
www.isc.org is 149.20.64.42
RPZ
RPZ capability on the DNS
Cashing Resolver allows
zone transfers to be
pushed out in seconds.
Security Company

DNS RPZ in Action
Master DNS
RPZ
Caching
Resolver
DNS
AX
FR
IX
FR
What is the IP for
xyzbadness.com?
RPZ
xyzbadness.com
Intel to find
the badnessSecurity Company
What is the IP for
xyzbadness.com?
SPAM
Computer
looks up
Xyzbadness.
com

How is DNSRPZ Different?
Master DNS
RPZ
Caching
Resolver
DNS
A
X
F
R
I
X
F
R
RPZ
Security Company
DNS
RBL
Some Security
Device
Push Once
Query Every
Domain

DNS Response Policy Zone dss(DNSRPZ).ppt

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

DNS Response Policy Zone dss(DNSRPZ).ppt

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......