The BIG-IP® system can utilize a domain name service (DNS) response policy zone (RPZ) as a firewall mechanism. An RPZ is a zone that contains a list of known malicious Internet domains. The list includes a resource record set (RRset) for each malicious domain. Each RRset includes the names of the malicious domain and any subdomains of the domain.
BIG-IP returns NXDOMAIN response to DNS query for malicious domain
BIG-IP forwards DNS query for malicious domain to walled garden
For each malicious domain that you want to add your custom RPZ, create a resource record for the domain. Additionally, you can add a wildcard resource record to represent all subdomains of the malicious domain.
With an RPZ configuration, the BIG-IP® system filters DNS queries for domains that are known to be malicious and returns custom responses that direct those queries away from the malicious domain.
Before adding a TSIG key for a DNS server that hosts an RPZ:
Add a TSIG key to the BIG-IP system configuration, when you want to validate zone transfer communications between DNS Express® and a DNS server hosting an RPZ.
|Resolver||Resolves a DNS request and stores the response in the DNS cache.|
|Validating Resolver||Resolves a DNS request, verifies the response using a DNSSEC key, and stores the response in the DNS cache.|
|Transparent (None)||Sends a DNS request to a DNS server for resolution, and stores the response in the DNS cache.|
Obtain the resource records for the walled garden zone on your network.
If you want the BIG-IP® system to redirect DNS queries for known malicious domains to a specific location, ensure that you have associated a local zone that represents the RPZ with the DNS cache.
|NXDOMAIN||Resolves a DNS query for a malicious domain found in the RPZ with an NXDOMAIN response, which states that the domain does not exist.|
|walled-garden||Resolves a DNS query for a malicious domain found in the RPZ by providing an A or AAAA record response, which redirects the query to a known host.|
System performance is affected even when Logs and Stats Only is selected. This is because the system still performs RPZ lookups.
You can view information about DNS zones.