By now, you may have heard that Infoblox has released our DNS Firewall product, which is powered by Response Policy Zones (RPZs). In my last posting, I described what RPZs are generally, but in this posting, I’d like to discuss what distinguishes Infoblox’s DNS Firewall from plain-vanilla RPZ support.
First, to get the most bang from RPZs, you want them configured on all of your local recursive name servers. That normally means configuring all of your recursors as secondaries for your RPZs, and possibly coming up with a tiered zone transfer dependency graph so that only one of your secondaries transfers the RPZs from a provider, while the rest use that secondary as their master. That’s not particularly complicated, but the setup is a little onerous.
Infoblox’s Grid makes this setup simple: Configure a secondary, specify the IP address and TSIG key of the master, and then add “All Recursive Name Servers” as additional secondaries. Done! The Grid will redistribute the RPZ data from the “distibution secondary.”
Second, it’d be nice to have an intuitive GUI to use to view and manage RPZ data. No one should have to craft RPZ rules by hand. What does
www.malware.org. IN CNAME .
mean, anyway? Well, our GUI will interpret that for you into something intelligible. And if you need to override that rule, we make that easy, too.
Finally, who can you trust as a source for RPZ data? Well, there are lots of good providers around, and our DNS Firewall will support any of them who deliver standard, RPZ-format zones. But if you’d like a good, commercial-caliber feed, we can provide that to you directly.