Filtering traffic by DNS name and IP address

What About DNSSEC?

Hang on, isn't DNSSEC supposed to prevent people from fiddling with and spoofing DNS replies? By default, RPZ will not intercept queries with the DNSSEC flag set, which right now isn't a huge problem, because very few domains use DNSSEC. However, as bad guys start to use DNSSEC, you'll probably want to block them as well. To override this, set the break-dnssec option to yes in the RPZ definition in named.conf [3].

For clients enforcing DNSSEC in replies, you won't be able to create arbitrary replies and redirect them to a walled garden server, but you can achieve the same effect of NXDOMAIN or NODATA because the client will treat the data as bad and not connect. However, the user may see some errors.


Filtering traffic based on DNS name, servers, and IP addresses can be extremely efficient in blocking bad stuff, especially as it covers all protocols (e.g., HTTP, HTTPS, mail, etc.). It also solves the problem of devices onto which you can't easily load adblock or other filtering software. On the flip side, if those devices are used on another network, they may be exposed to malware and such.

Next month, I'll talk about logging DNS queries and replies in order to collect data so that you know what to block and can see whether anything malicious has gotten inside your network.


  1. Building DNS firewalls with Response Policy Zones (RPZ):
  2. DNS Response Policy Zones:
  3. BIND 9 configuration reference:

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Local DNS with Unbound

    You don't have to be satisfied with your ISP's slow and cumbersome DNS server. Your own Unbound server could improve performance as well as security.

  • Security Lessons: Logging DNS Replies

    Logging DNS replies can prove very useful. Kurt explains how to capture the data and keep it forever.

  • Security Lessons: DNSSEC

    One of the largest holes in the Internet is finally plugged.


    Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution service.

  • Bind 10 Test Drive

    Admins have waited all of five years for the 10th major release of the Bind name server, which appeared at the end of March this year. The latest release is a complete rewrite of the DNS server, with a modular design and new configuration tools, but is it ready for business?

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95