[RPZ] RPZ seen at MAAWG

Marc Evans marc.evans at umbradata.com
Wed Oct 6 15:24:16 UTC 2010 

On 10/6/10 10:54 AM, Eric Ziegast wrote:
> #### ISC does not publish any RPZ or give perception of publishing
> 
>  2.2. The remainder of the zone is expressions of DNS policy.
>    The owner name of a Response Policy Zone resource record set
>    (RRset) is the relativised name of the domain name about which
>    policy is being expressed.  For example, in a policy zone called
>    RPZ.ISC.ORG, an RRset at WWW.VIX.COM.RPZ.SIE.ISC.ORG would affect
>    responses to lookups of WWW.VIX.COM.  DNS RPZ RRset owner names
>    can be wildcarded according to normal rules, for example
>    *.VIX.COM.RPZ.ISC.ORG would affect responses for any subdomain of
>    VIX.COM.  This means that in order to affect both a domain and
>    its subdomains, policy must be entered for both that domain and
>    its wildcard subdomain.
> 
> Let's find something else beside ISC.ORG.  With Jeff's blassing, maybe
> we can use SURBL here or some other willing participant (eg: just
> RPZ.VIX.COM or some other straw-man domain).

The suggestion of using example.com/net/org I believe is on target.

> #### SuperWildcard
> 
> The limitation of wildcard records could be an issue.  I one lists:
>    mecom.ae.@ IN A .
>    *.mecom.ae.@ IN A .
> 
> How does one take care of www.qatar.mecom.ae without specifically
> listing *.qatar.mecom.ae in the zone?  Do we need a Super Wildcard
> capability in zone file specifications that matches all sub-domains?
> not just the current level?

I cringe to some extent to think about processing overhead of those.
That said, I could be swayed that benefit outweighs cost.

> If you plan on creating an RPZ, let the list know.  SURBL has a beta
> for people to test.  We'd like to see more.

We at Umbra Data have a few zones available for early adopters to use
and give us feedback. Please email if you are interested. The lists are
botnet command and control oriented and support both draft 2 _ip4/_ip6
and draft 1 fqdn contents (ns likely being added soon too). There zones
available are inspect.c2.rpz.umbradata.com. block.c2.rpz.umbradata.com
and hh.c2.rpz.umbradata.com. The "hh" zone will contain what we consider
to be our hellish-hundred. Block is probably the most interesting. The
alert zone would only be interesting to you if you have your own
resolver that allows you to define policy other then disrupting traffic
as the contents of this zone if not looked at with application-layer
detail will have false-positives.

Let me be up-front on our plans here. The hh zone we intend to be free
forever. The block and inspect zones we do intend to be commercial,
though for early adapters that provide mutually beneficial feedback, we
probably will find a way to waive fees. As a young startup, you can
imagine that revenue is critical, though that can be said about many
people's situations, I am certain.

- Marc

More information about the DNSfirewalls mailing list