fbpx

Response Policy Zones: A Little-Known Cybersecurity Measure You Should Be Using

by | Apr 10, 2018 | BLOG, Forbes Coaches, TECHNOLOGY, Trending

Forbes Technology Council Elite CIOs, CTOs & execs offer firsthand insights on tech & business. Opinions expressed by Forbes Contributors are their own.

Post written by

Cricket Liu

Infoblox‘s Chief DNS Architect. Author of DNS and BIND and other DNS-y books. Frequent speaker and occasional Tweeter @cricketondns.

Cricket LiuCricket Liu ,

Shutterstock

What if I told you there was a little-known mechanism you could use to identify devices infected with malware and then use it to cut those infected devices off from malware command-and-control servers? What if I also told you that you could use this mechanism to prevent users from accidentally accessing malicious sites? A tool that doesn’t require additional hardware or software and that takes advantage of infrastructure you already have on your network. Sound too good to be true?

Well believe it, baby: It’s real! Response Policy Zones are one of the hottest things to emerge from the world of the Domain Name System since…well, maybe ever.

RPZ: A Brief History

First, let me explain that for most of its history, the Domain Name System has had only rudimentary security mechanisms. The administrator of a DNS server could control which computers could query the server and which could update it, but not much more. And the bad guys used DNS for their own nefarious purposes — to lure unsuspecting users to familiar-looking but malicious websites that would infect their devices, for example, or to enable malware to look up the current address of a command-and-control server.

For more than 25 years, there was no easy way to say, “If a device tries to look up the address of this domain name, which I know is malicious, then don’t reply with the right answer.” That’s truly staggering when you think about it: There was no way to control what you might call “resolution policy.”

This changed in 2010 when Paul Vixie, one of the Grand Old Men of the Internet (OK, he’s not much older than I am, but I’m getting old, too) published a manifesto titled “Taking Back the DNS.” In it, he described a new mechanism that he and his colleague Vernon Schryver had developed at the Internet Systems Consortium: Response Policy Zones.

Putting RPZs To Use

As the name suggests, RPZs are zones that are a kind of administrative container in DNS. Normally, zones contain resource records that map domain names to IP addresses and mail servers and the like. But with RPZs, the zones contain special-looking records that are interpreted as rules. Those rules can say things like:

Page 1 / 2