DNS RPZ: A DNS Firewall to filter Sites and Users

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
"The best Linux newsletter on the web"

Hello flocks, today we are going to learn some DNS stuffs. We all know about what’s a DNS, how DNS works, its types, etc. So, wrap things up and let’s dive into our today’s topic about DNS Response Policy Zone (RPZ).

To view our other topics on DNS server please visit here.

What is RPZ?

DNS Response Policy Zone (RPZ) is a DNS zone which enables DNS administrators to customize policy in DNS servers, so that the server returns modified answers to Client’s DNS queries. In other words, RPZ   provides a way to alter a DNS response in real time. It can be used to modify potentially unsafe DNS Data to block communication or provide local data to redirect to a “walled garden”. As we can alter query response or block any domain using RPZ it is also known as DNS firewall.

Like any other DNS Zone, RPZ consists of different Resource Records (RR) Sets. Rather than SOA, NS and DNSSEC records, all other RRs contains a trigger and an action for the trigger.

Triggers configured to rewrite DNS queries based on:

  • IP Address/Subnet (RPZ-IP)
  • Hostname/Domain (QNAME)
  • Nameserver Name/Domain (RPZ-NSDNAME)
  • Nameserver Address/Subnet (RPZ-NSIP)
  • Client IP (RPZ-CLIENT-IP)

Policy Actions are as below

  • “NXDOMAIN” Action (CNAME .)
  • “NODATA” Action (CNAME *.)
  • “PASSTHRU” Action (CNAME rpz-passthru.)
  • “DROP” Action (CNAME rpz-drop.)
  • “TCP-Only” Action (CNAME rpz-tcp-only.)
  • “Local Data” Action (arbitrary RR types)

RPZ Applications:

DNS RPZ has different application and use cases. Examples:

  • Block Malware and phishing websites
  • Block Ads
  • Rewrite any domain RR and provide custom DNS Data
  • Block a set of Internet user’s traffic and land their requests to a walled-garden

In this article we are going to learn how to configure RPZ in BIND9, block a domain for all user and redirect some users to a walled-garden.

Install BIND9 and Configure RPZ:

Let’s install a BIND9 Caching DNS Server on Debian Linux.

# apt-get update
# apt-get install -y bind9

Enable and Start bind9 service

# systemctl enable bind9.service
# systemctl start bind9.service
# systemctl status bind9.service


Our Server has address configured on its physical interface. Now check BIND9 listening status

# netstat -lntup | grep -E "PID|named"


We see BIND9 is listening on both  IPv4 and IPv6 address families for all interfaces. To operate BIND9 on IPv4 only change startup option in /etc/default/bind9 file

OPTIONS="-4 -u bind"

Restart bind9 service

# systemctl restart bind9.service

Backup default options file

# cp /etc/bind/named.conf.options /etc/bind/named.conf.options.ori

Add RPZ configuration directives under BIND9 main options and zone names in the /etc/bind/named.conf.options file

response-policy { zone "rpz"; };

We can also add multiple zones in the response-policy directive as follows

response-policy { 
zone "rpz1";
zone "rpz2";

Now define the zone properties

zone "rpz" {
type master;
file "rpz.local";
allow-query { localhost; };
allow-update { none; };

Now suppose we would like to block a Domain due to Malware activity or may be a Ads site or it may directed by regulatory authority to block the site. In this example, we are blocking “youtube.com“. Create rpz.local file in default directory for BIND9 including below content

$TTL 60
@ IN SOA localhost. root.localhost. (
2022012801 ; serial
1h ; refresh
30m ; retry
1w ; expiry
30m) ; minimum

IN NS ns1.example.com.
IN NS ns2.example.com.

youtube.com 30 IN CNAME .
*.youtube.com 30 IN CNAME .

Restart BIND9 service

# systemctl restart bind9.service

In above configuration directives we have defined “NXDOMAIN” Policy Actions for the domain “youtube.com“. Now if we try to browse from our workstation we will not be able to browse the site and it will return NXDOMAIN message in browser

In the next example,  we will redirect “btcl.com.bd” users to a walled-garden by means of RPZ. It will show a message to the users by providing local data in DNS query. To achieve that we will have to write RRs as follows

btcl.com.bd      30    IN    A
*.btcl.com.bd 30 IN A

Note: We have a webserver running on and it will provide custom message to the users.

Restart BIND9 service.

Browsing the website “http://btcl.com.bd” results below message

Block payment defaulted customer’s using RPZ

In this example, we are going to redirect all users with outstanding balance to a walled-garden to show a message to pay their dues.

We have a user with IP address which failed to pay bills. To redirect all requests for the user to a wall-garden webserver we will configure the rpz.local file as follows    30    IN    A

Note: defines the host IP in CIDR notation If you like to block a subnet then it should present as

Restart BIND9 service.

Browsing from regular client

Browsing from wall-gardened client




Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
"The best Linux newsletter on the web"
Unix/Linux Guru and FOSS supporter


Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook