Policies
Policy Actions
NXDOMAIN Return name does not exist.
NODATA Return name exists but with no answer data.
PASSTHRU Do nothing - normally defines an exception in a range.
TCP-Only Force use of TCP. [not in Format 3]
DROP Causes client timeout. [not in format 3]
Local-Data Response data defined by RR and target-name/left-hand expression.
Policy Triggers
QNAME Trigger on query name.
CLIENT-IP Trigger on DNS client IP.
IP Trigger on query response IP.
NSDNAME Trigger on NS name during delegation.
NS-IP Trigger on NS IP during delegation.
Policy Actions
Policy Actions define the required outcome or result and are relatively straightforward. They are defined using the RR type and target-name (left-hand-name) of the RR as shown in the table below:
Note: Any Policy Trigger can be used with any Policy Action while the table shows only the most common types used with each Policy Action.
Outcome
Policy Trigger (LH name)
RR
RH Value
Policy Action
NXDOMAIN
QNAME IP NSDNAME NSIP
CNAME
.
RPZ processing returns NXDOMAIN (name does not exist) irrespective of actual result received. Note: RFC2308 mandates that NXDOMAIN responses will have the SOA RR of the authoritative zone placed in the response Authority Section. When RPZ action takes place the authority (and hence the SOA RR returned) is the RPZ domain. RPZ Domain name leakage will result.
NODATA
QNAME IP NSDNAME NSIP
CNAME
*.
RPZ processing returns NODATA (name exists but no answers returned) irrespective of actual result received. Note: RFC2308 mandates that NODATA responses will have the SOA RR of the authoritative zone placed in the response Authority Section. When RPZ action takes place the authority (and hence the SOA RR returned) is the RPZ domain. RPZ Domain name leakage will result. (see operational note on RPZ domain names.)
Unchanged
QNAME IP NSDNAME NSIP
CNAME
rpz-passthru.
PASSTHRU (was NOOP). This identifies an exception (a whitelisted name) and can be used to override an action covering, say, a large IP address block or a specific subdomain to reduce the number of zone file records required to implement any given policy. When rpz-passthru. is detected no RPZ policy processing takes place (the PASSTHRU Action) and the query is processed, and responded to, normally. There is an older (obsoleted, but still supported in the code for backward compatibility) form of PASSTHRU in which the LH domain-name and the RH domain-name are identical.
Nothing
QNAME IP NSDNAME NSIP
CNAME
rpz-drop.
DROP. No response is returned to the user query irrespective of results obtained. This has the effect of causing an end user timeout (which is typically 5 seconds or even longer) thus causing a slowdown in query retries and query load. (In the case of a specific response, such as NODATA, the end user may simply retry immediately with implications for query load.) This kind of action is sometimes referred to generically as a tar-pit strategy.
Truncated
CLIENT-IP
CNAME
rpz-tcp-only.
TCP-ONLY. Causes a truncated message to be sent (without TC set) forcing the user to retry with a TCP connection with its higher connection time overheaad. The objective of this trigger is to slow down clients known to be involved with DDoS amplification attacks. The effect of this Trigger is a one shot deal. The subsequent TCP connection will connect normally. The net effect is to slow down client processing by a relatively modest amount which may be better than nothing. This trigger is primarily intended to be used with the Client-IP Trigger but can be used with other trigger types if required.
Modified
QNAME IP NSDNAME NSIP
anything
anything
(Local-Data) This Policy Action allows the operator to define any desired outcome. As an example a CNAME RR (or A/AAAA RR) could be used to send the user to a web page describing what action had been taken, to make a commercial offer or, well, anything else imaginable.
Policy Triggers
Last updated
Was this helpful?
