mail us  |  mail this page

contact us
training  | 
tech stuff  | 

BIND9 - Configuring a DNS firewall with RPZ

Response Policy Zone (RPZ) is a BIND9.10+ feature (the basic capability was released with BIND9.8) that allows a recursive server (resolver) to perform a user defined action based on the definition of one or more zone files. The RPZ feature is invoked by referencing these RPZ zone files within a response-policy statement in the options clause.

  1. RPZ Zone Blocker Functions
  2. RPZ Zone Blocker named.conf
  3. RPZ Zone File
  4. Exclude Users from RPZ Actions

RPZ Zone Blocker Functions

This howto illustrates the use of RPZ to implement a simple zone blocker (also frequently refered to as a DNS firewall) in a recursive server (Resolver) providing the following functionality:

  1. The resolver operator defines the domain names that they wish to block users from accessing in an RPZ zone file. The reasons for wanting to do this may be anything from eliminating access to non-essential sites in a work environment, blocking sites of a distateful nature where young people may be involved, preventing access to sites known to infect PCs with viruses or any other reason. Using the domain name method involves only one of five possible RPZ ways this could be done.

  2. When a user attempts to access a domain name that is blocked by the RPZ feature the request may be diverted to a web site (perhaps explaining what happened), or the request may simply be dropped (leading to a timeout that will manifest itself either as Network error page or the dreaded 'Page cannot be displayed' in the user's browser). Both types are illustrated in this configuration. These are only two of 6 possible RPZ actions.

  3. The RPZ configuration is flat - it does not differentiate in any way between users. All users who access the public Internet via any resolver running this RPZ file will be blocked from those sites defined in the RPZ file. RPZ does make it possible to allow defined uers to bypass the blocking feature and a small sample is included to illustrate how this would be done.

This domain name blocker (aka DNS firewall) uses a trivial subset of the full power of the RPZ feature to keep configuration simple and to minimize the danger of inadvertant collateral damage - very easy to do with RPZ. The full capability (defining every RPZ Policy Trigger and every Policy Action) with copious examples is described in nauseating detail on this page. Readers who wish to control access to the, sadly, increasing number of sites whose entire motivation seems to be related to infecting unsuspecting viewers are well advised to take the time to fully understand RPZ since it offers a rich and subtle feature set which can yield results with substantial scope by intercepting further up the query chain.

RPZ named.conf

The RPZ feature is invoked by referencing one or more RPZ zones within a response-policy statement in the global options clause (or within a view clause). Each RPZ zone must also be defined using a normal zone clause. Throughout the user's zone is assumed to the classic, but boring,

RPZ is only possible in a recursive server (Resolver) the named.conf fragment required to invoke RPZ is shown below. Many other permutations exist, this is one of the simplest:

// named.conf fragments relevant to RPZ
// stream the log to separate rpz info
  channel normal-log{
    // alternatively use default_syslog above to log 
    // everything apart from RPZ info to syslog and omit
    // the file statement below
    file "/var/named/named.log" versions 3 size 1m;
    severity info;
  channel named-rpz {
     // change path as appropriate
     file "/var/named/rpz.log" versions 3 size 250k;
     severity info;
  category rpz{
  // everything else
  category default{
options {
  // this must be a recursive server
  recursion on; // the default but good practice
  // CLOSE the server - change IPs as appropriate
  // or use allow-recursion (localnets; localhost;};
  allow-recursion (192.168.2/24;};
  // invoke RPZ
  response-policy {zone "";};
  allow-transfer {none;};
  allow-update {none};
// RPZ zone definition
zone ""{
  type master;
  file "master/";
// standard recursive zone files
// hints, localhost forward and reverse maps
// reverse map for 192.168.2/24 


  1. Doman name: The RPZ zone name can break all the normal rules due to its limited visibility, however, the sample has chosen to use a fairly innocuous name for the reasons discussed on this page. It could equally, and correctly, have been called "roguesgallery". If you elect to use a name within your domain space then ensure that the name does not appear in your normal ( in this case) zone file to avoid any, internal or external, attempts to access it.

  2. response-policy: The statement shown invokes a fully functional RPZ zone whose actions are determined by the contents of the RPZ zone file. During the testing phase the following statement will perform all the RPZ actions, log them to the RPZ channel, then return the real result to the user:

    response-policy {zone "" policy disabled;};

RPZ Zone File

The following commented zone file shows diversion of the various blocked domain names (using the QNAME policy trigger - many other triggers can be used) to one or more alternative sites (assumed to be webpages but they could be anything) or simply dropping any response thus causing a user timeout after 5 seconds or longer). Many other outcomes (Policy Actions) are possible.

; zone file
$TTL 2h ; default TTL
; email address is never used
@        SOA nonexistent.nodomain.none. dummy.nodomain.none. 1 12h 15m 3w 2h
; name server is never accessed but out-of-zone
         NS  nonexistant.nodomain.none.

; divert single domain name to 
; special web page at
; must have A/AAAA RR
; in the zone file CNAME

; divert whole domain name to 
; special web page at
; must have A/AAAA RR
; in the zone file CNAME

; divert just subdomains of domain name to 
; special web page at
; allows MX record to be read and web sites of form
; but blocks, for instance, or
; must have A/AAAA RR
; in the zone file

; divert different domains to different locations
; special web pages at explain and
; both noway and must have A/AAAA RRs
; in the zone file CNAME

; no response (timeout) a single domain name 
; CNAME rpz-drop.

; no response (timeout) to whole domain name CNAME rpz-drop.
* CNAME rpz-drop.

; no response (timeout) to subdomains of domain name
; allows MX record to be read and web sites of form
; but drops, for instance, or
* CNAME rpz-drop.


  1. All left-hand (owner-name) names must NOT end with a dot.

  2. Add as many names as required. Order is not important since they are sorted into canonical order when the zone is loaded.

  3. RPZ zones may well be very large > 1 million RRs. To speed up zone loading BIND9.10 includes a new map option with named-compilezone and the masterfile-format statement.

Excluding Users from RPZ Actions

The following shows a method by which certain users (assuming known and fixed IP addresses) may be excluded from all RPZ actions:

// named.conf
options {
  // define a second zone file - order is important in
  // response-policy statement
  response-policy {zone ""; zone "";};
// add new RPZ zone clause
zone ""{
  type master;
  file "master/";
// zone file for
// zone files for hints, localhost (forward and reverse map)
// reverse map for local IPs

; zone file
$TTL 2h ; default TTL
@        SOA nonexistent.nodomain.none. dummy.nodomain.none. 1 12h 15m 3w 2h
; name server is never accessed but out-of-zone
         NS  nonexistant.nodomain.none.

; this exludes a single 
; IP address
; address can be written as CNAME rpz-passthru.

; this defines a block of 8 IPs 
; containing
; address can be written as 
; CNAME rpz-passthru.


  1. If you need an IPv4 calculator.

  2. All left-hand (owner-name) names must NOT end with a dot.

  3. RPZ searches trigger conditions from the zones in the order in which they are defined in the response-policy statement.

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Pro DNS and BIND by Ron Aitchison


tech info
guides home
dns articles
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
5 install bind
6 samples
7 named.conf
8 zone records
9 howtos
10 tools
11 trouble
12 bind api's
13 dns security
bits & bytes
15 messages
notes & tips
registration FAQ
dns resources
dns rfcs
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox




Icons made by Icomoon from is licensed by CC 3.0 BY
share page via facebook tweet this page


email us Send to a friend feature print this page Display full width page Decrease font size Increase font size



Debian Linux


GNU-Free SW Foundation


Open Source Initiative
Creative Commons


Ibiblio - Library
Open Book Project
Open Directory


CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2018 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by
web-master at zytrax
Page modified: November 19 2015.