Managing Response Policy Zones

This chapter provides an overview of Response Policy Zones (RPZ) and explains how to use them to implement DNS Firewall capabilities in Cisco Prime Network Registrar. RPZ is a powerful feature that enables administrators to apply security policies to DNS queries by modifying responses based on predefined rules. Through RPZ, DNS servers can block, redirect, or alter responses to queries for malicious or unwanted domains, helping to protect users and networks from threats at the DNS layer.

Introduction to Responze Policy Zone

Response policy zones (RPZ) are a mechanism used in DNS servers to enforce security policies by modifying DNS responses based on predefined rules. These zones are primarily used to block or redirect DNS queries for malicious domains, phishing sites, or other undesirable internet locations.

We recommend that you create a separate forward zone on the Authoritative DNS server for Response Policy Zones. The zone can be either primary or secondary, and the data can either be manually entered or transferred from a third party Response Policy Zones provider. The zones can be named as rpz.<customer-domain> to avoid conflict with domain names in the Global DNS space.


Note

If the Response Policy Zones come via zone transfer, it must be named the same as at the source. If using a commercial Response Policy Zones provider, the name is specified by the provider.

DNS Response Policy Zones Triggers

Each policy consists of a trigger and an action. The trigger describes when the policy should be applied. The action describes what action should be taken if the policy needs to be applied.

In Response Policy Zones zone, each trigger and action combination is defined as a Resource Record (RR). The owner of the RR states the trigger, and the type, and RDATA state the action.

The Response Policy Zones RR names can take the following forms:

Table 1. DNS Response Policy Zones Triggers

Response Policy Zones Trigger

RR Name

Example

Example RR Name

Domain being queried

<domain>.rpz.

<customer-domain>

Domain www.baddomain.com

www.baddomain.com.rpz.cisco.com

Name Server to query

<ns-domain-name>.rpz-

nsdname.rpz.<customer-domain>

Name Server ns.baddomain.com

ns.baddomain.com.rpz-nsdname.rpz.

cisco.com

Name Server IPv4 to query

32.<reversed-ip>.rpz-nsip.rpz.

<customer-domain>

Name Server Address 192.168.2.10

32.10.2.168.192.rpz-nsip.rpz.cisco.com

Name Server IPv6 to query

128.<reversed-ip>.rpz-nsip.rpz.

customer-domain>

Name Server Address 2001:db8:0:1::57

128.57.zz.1.0.db8.2001.rpz-nsip.rpz.cisco.com

A Records in Answer Section of Response

32.<reversed-ip>.rpz-ip.rpz.

<customer-domain>

A answer record 192.168.2.10

32.10.2.168.192.rpz-ip.rpz.cisco.com

A Records in Answer Section of Response

<subnet-mask>.<reversed-ip>.

rpz-ip.rpz.<customer-domain>

A answer record in subnet 192.168.2.0/24

24.0.2.168.192.rpz-ip.rpz.cisco.com

AAAA Records in Answer Section of Response

128.<reversed-ip>.rpz-ip.rpz.

<customer-domain>

AAAA answer record 2001:db8:0:1::57

128.57.zz.1.0.db8.2001.rpz-ip.rpz.cisco.com

AAAA Records in Answer Section of Response

<prefix-length>.<reversed-ip>.

rpz-ip.rpz.customer-domain>

AAAA answer record in prefix 2001:db8.0.1::/48

27.zz.1.0.db8.2001.rpz-ip.rpz.cisco.com

Client IP

<subnet-mask>.<client-ip>. rpz-client-ip.

<customer-domain>

Client IP in the subnet 192.0.2.0/24

24.0.2.0.192.rpz-client-ip.rpz.cisco.com

Client IP

32.<client-ip>.rpz- client-ip.<customer-domain>

Client IP 192.2.0.64

64.2.0.192.rpz-client-ip.rpz.cisco.com

This zone contains all the RRs related to query names which are in block list. Blocking IP addresses and ranges must be done within the rpz-ip label (that is, rpz-ip.rpz.cisco.com). The same logic can be applied to blocking name servers and clients using the rpz-nsdname, rpz-nsip, and rpz-client-ip labels.


Note

rpz-ip, rpz-nsdname, rpz-nsip, and rpz-client-ip are just another labels and are not real subdomains or separate zones. No delegation points will exist at this level and Caching DNS server relies on finding all the data within the referenced zone.


Note

When using rpz-nsdname and rpz-nsip, the corresponding rule is applied to the original query and will therefore change the answer section. In cases when the final answer is determined from the Response Policy Zone rule(s), the Response Policy Zone SOA will be included in the authority section.

DNS Response Policy Zones Actions

Response Policy Zones rules are created using standard DNS RRs, mostly CNAME RRs. However, for redirecting, you can use any type of RR. The RR name follows the format based on the Response Policy Zones triggers. The rdata defines the rule action to be taken. The following table describes the Response Policy Zones actions.

Table 2. Response Policy Zones Actions

Response Policy Zones Rule Action

Response Policy Zones RR RData

Response Policy Zones RR Example

NXDOMAIN

Return an NXDOMAIN response.

CNAME .

www.baddomain.com.rpz.cisco.com. 300 CNAME .

NODATA

Return an empty response.

CNAME *.

www.baddomain.com.rpz.cisco.com. 300 CNAME *.

NO-OP (allowed list)

Bypass the RPZ for this domain.

CNAME rpz-passthru.

CNAME FQDN

www.gooddomain.com.rpz.cisco.com. 300 CNAME rpz-passthru.

www.gooddomain.com.rpz.cisco.com. 300 CNAME www.gooddomain.com.

DROP

Drop the query that triggered this action.

CNAME rpz-drop.

www.baddomain.com.rpz.cisco.com. 300 CNAME rpz-drop.

Redirect

Return alternate data for this query.

<any RR type> <redirect-data>

www.wrongdomain.com.rpz.cisco.com. 300 CNAME walledgarden.cisco.com.

www.baddomain.com.rpz.cisco.com. 300 A 192.168.2.10

www.baddomain.com.rpz.cisco.com. 300 AAAA 2001:db8:0:1::57

Setting up RPZ primary zones on the authoritative DNS server

Local Web UI

Procedure

Step 1

From the Design menu, choose Forward Zones under the Auth DNS submenu to open the List/Add Forward Zones page.

Step 2

Click the Add Forward Zone icon in the Forward Zones pane to open the Add Zone dialog box

Step 3

Enter the name of the zone (that is, rpz.zonename), specify localhost as the name server, add a contact E-mail, and a starting serial number.

Step 4

Make the following changes in the Edit Zone page:

  1. Set the Zone Default TTL (recommended setting is between 5m and 2h).

    Note

     

    Queries should be restricted to localhost and the Caching DNS server address(es), restrict-query-acl=localhost, cdns-address).

  2. Under the Zone Transfer Settings section, restrict zone transfers and notifies.

    Note

     

    Zone transfers and notifies should only be allowed to other RPZ secondaries and localhost.

Step 5

From the Deploy menu, choose DNS Server under the DNS submenu to open the Local DNS Server page.

Step 6

Click the Restart Server icon to reload the DNS server and publish the RPZ.

CLI commands

Use the following CLI commands:

  • To create an RPZ, the zone name should indicate that it is an RPZ. For example, rpz.example.com. 

    nrcmd> zone rpz.example.com. create primary localhost admin

  • Enable the RPZ attribute (rpz). 

    nrcmd> zone rpz.example.com. enable rpz

  • Restrict queries to only be allowed from Caching DNS and localhost.

    nrcmd> zone rpz.example.com. set restrict-query-acl="localhost"

  • Restrict or completely deny zone transfers depending on deployment.

    nrcmd> zone rpz.example.com. set restrict-xfer-acl="<list of CDNS>, localhost"
    nrcmd> zone rpz.example.com. set notify=notify-list
    nrcmd> zone rpz.example.com. set notify-list=<list of cdns servers>

  • Set the default TTL between 5m and 2h.

    nrcmd> zone rpz.example.com. set defttl=5m

  • Reload the DNS server to publish the RPZ and for the configuration changes to take effect.

    nrcmd> dns reload

Note

The 'rpz' attribute should only be enabled for CDNS versions 11.1.x or older. It must NOT be configured for CDNS versions 11.2 or later.

DNS Response Policy Zones Requirements and Best Practices

  • All Response Policy Zones must have the rpz attribute enabled. A DNS reload is necessary for this change to take effect.

  • The restrict-query-acl should be set to localhost to protect the firewall rule data from being queried.

  • The restrict-xfer-aclshould be set to the list of DNS servers accessing this RPZ data. It may also be helpful to specify localhost for administrative purposes.

  • Notify should set set to notify-list and notify-list should contain the list of CDNS servers using RPZ data.

  • Response Policy Zone must not be delegated from the parent zone. It must be hidden and only available to a specially configured Caching DNS.

  • There must be no Response Policy Zone nameserver address record to avoid caching and keeping the name server.

  • The name server record must point to "localhost".

  • The number of Response Policy Zone Firewall rules on a Caching DNS server should be limited to 2-3.

  • The default TTL, for manually created Response Policy Zones must reflect the rate of change in the zone data. The recommended rate ranges from 5m to 2h.

  • An Response Policy Zones may contain data for domains (allowed list or block list), but can also be separated into two distinct zones. This can be helpful when there is overlapping data or the block list zone is maintained by a third party (that is, Response Policy Zones subscription).


Note

The 'rpz' attribute should only be enabled for CDNS versions 11.1.x or older. It must NOT be configured for CDNS versions 11.2 or later.