Planisys Logo

Planisys Blog

DNS, Email Security, CDN, and Cybersecurity

What is DNS-RPZ

Published on March 4, 2025

worldmap rpz dns

We use to sell at Planisys - Cybersecurity DNS resolvers with RPZ alongside authoritatives on hybrid infrastructures with DoT, DoH, encrypted transfer zones, etc.

But RPZ is believed to be only a list of bad domains, or domains censured by Justice in different countries, family protection, or enforce corporate acceptable use policies.

Yet there's much much more we intend to configure in our Control panel to squeeze the maximum out of all its potential.

🚫 How Does RPZ Block Domains?


1️⃣ NXDOMAIN: The "Kill Switch" for Domains
When an RPZ policy returns NXDOMAIN, it tells the resolver that the domain does not exist, effectively blocking access.

✅ Best for:

🔹 Stopping access completely.
🔹 Preventing malicious redirects.
🔹 Ensuring that even cached responses become invalid.

2️⃣ RPZ-PASSTHRU: Exception Handling & Whitelisting

The RPZ-PASSTHRU directive allows specific domains to bypass RPZ filtering.
📌 Example: Allow safe.example.com while blocking example.com

✅ Best for:
🔹 Allowing exceptions for legitimate subdomains.
🔹 Preventing over-blocking and false positives
🔹 Useful in corporate environments where internal domains share a TLD with blocked domains.

3️⃣ FORWARDING (Redirection to a Safe Page)

Instead of outright blocking, RPZ can redirect users to a controlled domain for further instructions.
📌 Example: Redirect blocked-site.com to safe-warning.page
✅ Best for:
🔹 Displaying custom warning pages.
🔹 Informing users about policy violations.
🔹 Redirecting to security education resources.
🔹 Workaround for nasty SERVFAILs, lame or bad delegations, etc

4️⃣ BLOCKING BASED ON DELEGATION (TLD & Subdomains)

RPZ can block entire TLDs, subdomains, or any domain that is delegated to malicious nameservers.
📌 Example: Block all domains served by badnameserver.com
✅ Best for:
🔹 Blocking entire infrastructure of malicious actors.
🔹 Stopping new threats before they are registered.
🔹 Preventing abuse from dynamic and disposable domains.


🔍 Additional RPZ Features for Advanced Control

🔹 Blocking IPs: Prevent users from resolving to specific bad IPs.
🔹 Throttling Queries: Rate-limit suspicious queries.
🔹 Time-Based Policies: Apply filtering dynamically with TTL rules.
🔹 Massively Infected hosting providers can be blocked by CIDR, blocking all names that resolve to IPs contained in the blocked CIDR

🔹 Are you using RPZ in your environment?
🔹 What challenges have you faced when implementing DNS filtering?