diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:59:48 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:59:48 +0000 |
commit | 3b9b6d0b8e7f798023c9d109c490449d528fde80 (patch) | |
tree | 2e1c188dd7b8d7475cd163de9ae02c428343669b /doc/arm/rpz.inc.rst | |
parent | Initial commit. (diff) | |
download | bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.tar.xz bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.zip |
Adding upstream version 1:9.18.19.upstream/1%9.18.19upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/arm/rpz.inc.rst')
-rw-r--r-- | doc/arm/rpz.inc.rst | 786 |
1 files changed, 786 insertions, 0 deletions
diff --git a/doc/arm/rpz.inc.rst b/doc/arm/rpz.inc.rst new file mode 100644 index 0000000..1834954 --- /dev/null +++ b/doc/arm/rpz.inc.rst @@ -0,0 +1,786 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. highlight:: none + +.. dns_firewalls_rpz: + +DNS Firewalls and Response Policy Zones +--------------------------------------- + +A DNS firewall examines DNS traffic and allows some responses to pass +through while blocking others. This examination can be based on several +criteria, including the name requested, the data (such as an IP address) +associated with that name, or the name or IP address of the name server +that is authoritative for the requested name. Based on these criteria, a +DNS firewall can be configured to discard, modify, or replace the original +response, allowing administrators more control over what systems can access +or be accessed from their networks. + +DNS Response Policy Zones (RPZ) are a form of DNS firewall in which the +firewall rules are expressed within the DNS itself - encoded in an open, +vendor-neutral format as records in specially constructed DNS zones. + +Using DNS zones to configure policy allows policy to be shared from +one server to another using the standard DNS zone transfer mechanism. +This allows a DNS operator to maintain their own firewall policies and +share them easily amongst their internal name servers, or to subscribe to +external firewall policies such as commercial or cooperative "threat +feeds," or both. + +:iscman:`named` can subscribe to up to 64 Response Policy Zones, each of which +encodes a separate policy rule set. Each rule is stored in a DNS resource +record set (RRset) within the RPZ, and consists of a **trigger** and an +**action**. There are five types of triggers and six types of actions. + +A response policy rule in a DNS RPZ can be triggered as follows: + +- by the IP address of the client +- by the query name +- by an address which would be present in a truthful response +- by the name or address of an authoritative name server responsible for + publishing the original response + +A response policy action can be one of the following: + +- to synthesize a "domain does not exist" (NXDOMAIN) response +- to synthesize a "name exists but there are no records of the requested + type" (NODATA) response +- to drop the response +- to switch to TCP by sending a truncated UDP response that requires the + DNS client to try again with TCP +- to replace/override the response's data with specific data (provided + within the response policy zone) +- to exempt the response from further policy processing + +The most common use of a DNS firewall is to "poison" a domain name, IP +address, name server name, or name server IP address. Poisoning is usually +done by forcing a synthetic "domain does not exist" (NXDOMAIN) response. +This means that if an administrator maintains a list of known "phishing" +domains, these names can be made unreachable by customers or end users just +by adding a firewall policy into the recursive DNS server, with a trigger +for each known "phishing" domain, and an action in every case forcing a +synthetic NXDOMAIN response. It is also possible to use a data-replacement +action such as answering for these known "phishing" domains with the name +of a local web server that can display a warning page. Such a web server +would be called a "walled garden." + +.. note:: + + Authoritative name servers can be responsible for many different domains. + If DNS RPZ is used to poison all domains served by some authoritative + name server name or address, the effects can be quite far-reaching. Users + are advised to ensure that such authoritative name servers do not also + serve domains that should not be poisoned. + +.. _why_dns_firewall: + +Why Use a DNS Firewall? +~~~~~~~~~~~~~~~~~~~~~~~ + +Criminal and network abuse traffic on the Internet often uses the Domain +Name System (DNS), so protection against these threats should include DNS +firewalling. A DNS firewall can selectively intercept DNS queries for +known network assets including domain names, IP addresses, and name +servers. Interception can mean rewriting a DNS response to direct a web +browser to a "walled garden," or simply making any malicious network assets +invisible and unreachable. + +.. _what_dns_firewalls_do: + +What Can a DNS Firewall Do? +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Firewalls work by applying a set of rules to a traffic flow, where each +rule consists of a trigger and an action. Triggers determine which messages +within the traffic flow are handled specially, and actions determine what +that special handling is. For a DNS firewall, the traffic flow to be +controlled consists of responses sent by a recursive DNS server to its +end-user clients. Some true responses are not safe for all clients, so the +policy rules in a DNS firewall allow some responses to be intercepted and +replaced with safer content. + +.. _rpz_rule_sets: + +Creating and Maintaining RPZ Rule Sets +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In DNS RPZ, the DNS firewall policy rule set is stored in a DNS zone, which +is maintained and synchronized using the same tools and methods as for any +other DNS zone. The primary name server for a DNS RPZ may be an internal +server, if an administrator is creating and maintaining their own DNS +policy zone, or it may be an external name server (such as a security +vendor's server), if importing a policy zone published externally. The +primary copy of the DNS firewall policy can be a DNS "zone file" which is +either edited by hand or generated from a database. A DNS zone can also be +edited indirectly using DNS dynamic updates (for example, using the +"nsupdate" shell level utility). + +DNS RPZ allows firewall rules to be expressed in a DNS zone format and then +carried to subscribers as DNS data. A recursive DNS server which is capable +of processing DNS RPZ synchronizes these DNS firewall rules using the same +standard DNS tools and protocols used for secondary name service. The DNS +policy information is then promoted to the DNS control plane inside the +customer's DNS resolver, making that server into a DNS firewall. + +A security company whose products include threat intelligence feeds can use +a DNS Response Policy Zone (RPZ) as a delivery channel to customers. +Threats can be expressed as known-malicious IP addresses and subnets, +known-malicious domain names, and known-malicious domain name servers. By +feeding this threat information directly into customers' local DNS +resolvers, providers can transform these DNS servers into a distributed DNS +firewall. + +When a customer's DNS resolver is connected by a realtime subscription to a +threat intelligence feed, the provider can protect the customer's end users +from malicious network elements (including IP addresses and subnets, domain +names, and name servers) immediately as they are discovered. While it may +take days or weeks to "take down" criminal and abusive infrastructure once +reported, a distributed DNS firewall can respond instantly. + +Other distributed TCP/IP firewalls have been on the market for many years, +and enterprise users are now comfortable importing real-time threat +intelligence from their security vendors directly into their firewalls. +This intelligence can take the form of known-malicious IP addresses or +subnets, or of patterns which identify known-malicious email attachments, +file downloads, or web addresses (URLs). In some products it is also +possible to block DNS packets based on the names or addresses they carry. + +.. _rpz_limitations: + +Limitations of DNS RPZ +~~~~~~~~~~~~~~~~~~~~~~ + +We're often asked if DNS RPZ could be used to set up redirection to a CDN. +For example, if "mydomain.com" is a normal domain with SOA, NS, MX, TXT +records etc., then if someone sends an A or AAAA query for "mydomain.com", +can we use DNS RPZ on an authoritative nameserver to return "CNAME +mydomain.com.my-cdn-provider.net"? + +The problem with this suggestion is that there is no way to CNAME only A +and AAAA queries, not even with RPZ. + +The underlying reason is that if the authoritative server answers with a +CNAME, the recursive server making that query will cache the response. +Thereafter (while the CNAME is still in cache), it assumes that there are +no records of any non-CNAME type for the name that was being queried, and +directs subsequent queries for all other types directly to the target name +of the CNAME record. + +To be clear, this is not a limitation of RPZ; it is a function of the way +the DNS protocol works. It's simply not possible to use "partial" CNAMES to +help when setting up CDNs because doing this will break other functionality +such as email routing. + +Similarly, following the DNS protocol definition, wildcards in the form of +``*.example`` records might behave in unintuitive ways. For a detailed +definition of wildcards in DNS, please see :rfc:`4592`, especially section 2. + +.. _dns_firewall_examples: + +DNS Firewall Usage Examples +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Here are some scenarios in which a DNS firewall might be useful. + +Some known threats are based on an IP address or subnet (IP address range). +For example, an analysis may show that all addresses in a "class C" network +are used by a criminal gang for "phishing" web servers. With a DNS firewall +based on DNS RPZ, a firewall policy can be created such as "if a DNS lookup +would result in an address from this class C network, then answer instead +with an NXDOMAIN indication." That simple rule would prevent any end users +inside customers' networks from being able to look up any domain name used +in this phishing attack – without having to know in advance what those +names might be. + +Other known threats are based on domain names. An analysis may determine +that a certain domain name or set of domain names is being or will shortly +be used for spamming, phishing, or other Internet-based attacks which all +require working domain names. By adding name-triggered rules to a +distributed DNS firewall, providers can protect customers' end users from +any attacks which require them to be able to look up any of these malicious +names. The names can be wildcards (for example, \*.evil.com), and these +wildcards can have exceptions if some domains are not as malicious as +others (if \*.evil.com is bad, then not.evil.com might be an exception). + +Alongside growth in electronic crime has come growth of electronic criminal +expertise. Many criminal gangs now maintain their own extensive DNS +infrastructure to support a large number of domain names and a diverse set +of IP addressing resources. Analyses show in many cases that the only truly +fixed assets criminal organizations have are their name servers, which are +by nature slightly less mobile than other network assets. In such cases, +DNS administrators can anchor their DNS firewall policies in the abusive +name server names or name server addresses, and thus protect their +customers' end users from threats where neither the domain name nor the IP +address of that threat is known in advance. + +Electronic criminals rely on the full resiliency of DNS just as the rest of +digital society does. By targeting criminal assets at the DNS level we can +deny these criminals the resilience they need. A distributed DNS firewall +can leverage the high skills of a security company to protect a large +number of end users. DNS RPZ, as the first open and vendor-neutral +distributed DNS firewall, can be an effective way to deliver threat +intelligence to customers. + +A Real-World Example of DNS RPZ's Value +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The Conficker malware worm (https://en.wikipedia.org/wiki/Conficker) was +first detected in 2008. Although it is no longer an active threat, the +techniques described here can be applied to other DNS threats. + +Conficker used a domain generation algorithm (DGA) to choose up to 50,000 +command and control domains per day. It would be impractical to create +an RPZ that contains so many domain names and changes so much on a daily +basis. Instead, we can trigger RPZ rules based on the names of the name +servers that are authoritative for the command and control domains, rather +than trying to trigger on each of 50,000 different (daily) query names. +Since the well-known name server names for Conficker's domain names are +never used by nonmalicious domains, it is safe to poison all lookups that +rely on these name servers. Here is an example that achieves this result: + +:: + + $ORIGIN rpz.example.com. + ns.0xc0f1c3a5.com.rpz-nsdname CNAME *.walled-garden.example.com. + ns.0xc0f1c3a5.net.rpz-nsdname CNAME *.walled-garden.example.com. + ns.0xc0f1c3a5.org.rpz-nsdname CNAME *.walled-garden.example.com. + +The ``*`` at the beginning of these CNAME target names is special, and it +causes the original query name to be prepended to the CNAME target. So if a +user tries to visit the Conficker command and control domain +http://racaldftn.com.ai/ (which was a valid Conficker command and control +domain name on 19-October-2011), the RPZ-configured recursive name server +will send back this answer: + +:: + + racaldftn.com.ai. CNAME racaldftn.com.ai.walled-garden.example.com. + racaldftn.com.ai.walled-garden.example.com. A 192.168.50.3 + +This example presumes that the following DNS content has also been created, +which is not part of the RPZ zone itself but is in another domain: + +:: + + $ORIGIN walled-garden.example.com. + * A 192.168.50.3 + +Assuming that we're running a web server listening on 192.168.50.3 that +always displays a warning message no matter what uniform resource +identifier (URI) is used, the above RPZ configuration will instruct the web +browser of any infected end user to connect to a "server name" consisting +of their original lookup name (racaldftn.com.ai) prepended to the walled +garden domain name (walled-garden.example.com). This is the name that will +appear in the web server's log file, and having the full name in that log +file will facilitate an analysis as to which users are infected with what +virus. + +.. _firewall_updates: + +Keeping Firewall Policies Updated +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +It is vital for overall system performance that incremental zone transfers +(see :rfc:`1995`) and real-time change notification (see :rfc:`1996`) be +used to synchronize DNS firewall rule sets between the publisher's primary +copy of the rule set and the subscribers' working copies of the rule set. + +If DNS dynamic updates are used to maintain a DNS RPZ rule set, the name +server automatically calculates a stream of deltas for use when sending +incremental zone transfers to the subscribing name servers. Sending a +stream of deltas – known as an "incremental zone transfer" or IXFR – is +usually much faster than sending the full zone every time it changes, so +it's worth the effort to use an editing method that makes such incremental +transfers possible. + +Administrators who edit or periodically regenerate a DNS RPZ rule set and +whose primary name server uses BIND can enable the +:any:`ixfr-from-differences` option, which tells the primary name server to +calculate the differences between each new zone and the preceding version, +and to make these differences available as a stream of deltas for use in +incremental zone transfers to the subscribing name servers. This will look +something like the following: + +.. code-block:: c + + options { + // ... + ixfr-from-differences yes; + // ... + }; + +As mentioned above, the simplest and most common use of a DNS firewall is +to poison domain names known to be purely malicious, by simply making them +disappear. All DNS RPZ rules are expressed as resource record sets +(RRsets), and the way to express a "force a name-does-not-exist condition" +is by adding a CNAME pointing to the root domain (``.``). In practice this +looks like: + +:: + + $ORIGIN rpz.example.com. + malicious1.org CNAME . + *.malicious1.org CNAME . + malicious2.org CNAME . + *.malicious2.org CNAME . + +Two things are noteworthy in this example. First, the malicious names are +made relative within the response policy zone. Since there is no trailing +dot following ".org" in the above example, the actual RRsets created within +this response policy zone are, after expansion: + +:: + + malicious1.org.rpz.example.com. CNAME . + *.malicious1.org.rpz.example.com. CNAME . + malicious2.org.rpz.example.com. CNAME . + *.malicious2.org.rpz.example.com. CNAME . + +Second, for each name being poisoned, a wildcard name is also listed. +This is because a malicious domain name probably has or may potentially +have malicious subdomains. + +In the above example, the relative domain names `malicious1.org` and +`malicious2.org` will match only the real domain names `malicious1.org` +and `malicious2.org`, respectively. The relative domain names +`*.malicious1.org` and `*.malicious2.org` will match any +`subdomain.of.malicious1.org` or `subdomain.of.malicious2.org`, +respectively. + +This example forces an NXDOMAIN condition as its policy action, but other +policy actions are also possible. + +.. _multiple_rpz_performance: + +Performance and Scalability When Using Multiple RPZs +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Since version 9.10, BIND can be configured to have different response +policies depending on the identity of the querying client and the nature of +the query. To configure BIND response policy, the information is placed +into a zone file whose only purpose is conveying the policy information to +BIND. A zone file containing response policy information is called a +Response Policy Zone, or RPZ, and the mechanism in BIND that uses the +information in those zones is called DNS RPZ. + +It is possible to use as many as 64 separate RPZ files in a single instance +of BIND, and BIND is not significantly slowed by such heavy use of RPZ. + +(Note: by default, BIND 9.11 only supports up to 32 RPZ files, but this +can be increased to 64 at compile time. All other supported versions of +BIND support 64 by default.) + +Each one of the policy zone files can specify policy for as many +different domains as necessary. The limit of 64 is on the number of +independently-specified policy collections and not the number of zones +for which they specify policy. + +Policy information from all of the policy zones together are stored in a +special data structure allowing simultaneous lookups across all policy +zones to be performed very rapidly. Looking up a policy rule is +proportional to the logarithm of the number of rules in the largest +single policy zone. + +.. _rpz_practical_tips: + +Practical Tips for DNS Firewalls and DNS RPZ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Administrators who subscribe to an externally published DNS policy zone and +who have a large number of internal recursive name servers should create an +internal name server called a "distribution master" (DM). The DM is a +secondary (stealth secondary) name server from the publisher's point of +view; that is, the DM is fetching zone content from the external server. +The DM is also a primary name server from the internal recursive name +servers' point of view: they fetch zone content from the DM. In this +configuration the DM is acting as a gateway between the external publisher +and the internal subscribers. + +The primary server must know the unicast listener address of every +subscribing recursive server, and must enumerate all of these addresses as +destinations for real time zone change notification (as described in +:rfc:`1996`). So if an enterprise-wide RPZ is called "rpz.example.com" and +if the unicast listener addresses of four of the subscribing recursive name +servers are 192.0.200.1, 192.0.201.1, 192.0.202.1, and 192.0.203.1, the +primary server's configuration looks like this: + +.. code-block:: c + + zone "rpz.example.com" { + type primary; + file "primary/rpz.example.com"; + notify explicit; + also-notify { 192.0.200.1; + 192.0.201.1; + 192.0.202.1; + 192.0.203.1; }; + allow-transfer { 192.0.200.1; + 192.0.201.1; + 192.0.202.1; + 192.0.203.1; }; + allow-query { localhost; }; + }; + +Each recursive DNS server that subscribes to the policy zone must be +configured as a secondary server for the zone, and must also be configured +to use the policy zone for local response policy. To subscribe a recursive +name server to a response policy zone where the unicast listener address +of the primary server is 192.0.220.2, the server's configuration should +look like this: + +.. code-block:: c + + options { + // ... + response-policy { + zone "rpz.example.com"; + }; + // ... + }; + + zone "rpz.example.com"; + type secondary; + primaries { 192.0.222.2; }; + file "secondary/rpz.example.com"; + allow-query { localhost; }; + allow-transfer { none; }; + }; + +Note that queries are restricted to "localhost," since query access is +never used by DNS RPZ itself, but may be useful to DNS operators for use in +debugging. Transfers should be disallowed to prevent policy information +leaks. + +If an organization's business continuity depends on full connectivity with +another company whose ISP also serves some criminal or abusive customers, +it's possible that one or more external RPZ providers – that is, security +feed vendors – may eventually add some RPZ rules that could hurt a +company's connectivity to its business partner. Users can protect +themselves from this risk by using an internal RPZ in addition to any +external RPZs, and by putting into their internal RPZ some "pass-through" +rules to prevent any policy action from affecting a DNS response that +involves a business partner. + +A recursive DNS server can be connected to more than one RPZ, and these are +searched in order. Therefore, to protect a network from dangerous policies +which may someday appear in external RPZ zones, administrators should list +the internal RPZ zones first. + + +.. code-block:: c + + options { + // ... + response-policy { + zone "rpz.example.com"; + zone "rpz.security-vendor-1.com"; + zone "rpz.security-vendor-2.com"; + }; + // ... + }; + +Within an internal RPZ, there need to be rules describing the network +assets of business partners whose communications need to be protected. +Although it is not generally possible to know what domain names they use, +administrators will be aware of what address space they have and perhaps +what name server names they use. + +:: + + $ORIGIN rpz.example.com. + 8.0.0.0.10.rpz-ip CNAME rpz-passthru. + 16.0.0.45.128.rpz-nsip CNAME rpz-passthru. + ns.partner1.com.rpz-nsdname CNAME rpz-passthru. + ns.partner2.com.rpz-nsdname CNAME rpz-passthru. + +Here, we know that answers in address block 10.0.0.0/8 indicate a business +partner, as well as answers involving any name server whose address is in +the 128.45.0.0/16 address block, and answers involving the name servers +whose names are ns.partner1.com or ns.partner2.com. + +The above example demonstrates that when matching by answer IP address (the +.rpz-ip owner), or by name server IP address (the .rpz-nsip owner) or by +name server domain name (the .rpz-nsdname owner), the special RPZ marker +(.rpz-ip, .rpz-nsip, or .rpz-nsdname) does not appear as part of the CNAME +target name. + +By triggering these rules using the known network assets of a partner, +and using the "pass-through" policy action, no later RPZ processing +(which in the above example refers to the "rpz.security-vendor-1.com" and +"rpz.security-vendor-2.com" policy zones) will have any effect on DNS +responses for partner assets. + +.. _walled_garden_ip_address: + +Creating a Simple Walled Garden Triggered by IP Address +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +It may be the case that the only thing known about an attacker is the IP +address block they are using for their "phishing" web servers. If the +domain names and name servers they use are unknown, but it is known that +every one of their "phishing" web servers is within a small block of IP +addresses, a response can be triggered on all answers that would include +records in this address range, using RPZ rules that look like the following +example: + +:: + + $ORIGIN rpz.example.com. + 22.0.212.94.109.rpz-ip CNAME drop.garden.example.com. + *.212.94.109.in-addr.arpa CNAME . + *.213.94.109.in-addr.arpa CNAME . + *.214.94.109.in-addr.arpa CNAME . + *.215.94.109.in-addr.arpa CNAME . + +Here, if a truthful answer would include an A (address) RR (resource +record) whose value were within the 109.94.212.0/22 address block, then a +synthetic answer is sent instead of the truthful answer. Assuming the query +is for www.malicious.net, the synthetic answer is: + +:: + + www.malicious.net. CNAME drop.garden.example.com. + drop.garden.example.com. A 192.168.7.89 + +This assumes that `drop.garden.example.com` has been created as real DNS +content, outside of the RPZ: + +:: + + $ORIGIN example.com. + drop.garden A 192.168.7.89 + +In this example, there is no "\*" in the CNAME target name, so the original +query name will not be present in the walled garden web server's log file. +This is an undesirable loss of information, and is shown here for example +purposes only. + +The above example RPZ rules would also affect address-to-name (also +known as "reverse DNS") lookups for the unwanted addresses. If a mail +or web server receives a connection from an address in the example's +109.94.212.0/22 address block, it will perform a PTR record lookup to +find the domain name associated with that IP address. + +This kind of address-to-name translation is usually used for diagnostic or +logging purposes, but it is also common for email servers to reject any +email from IP addresses which have no address-to-name translation. Most +mail from such IP addresses is spam, so the lack of a PTR record here has +some predictive value. By using the "force name-does-not-exist" policy +trigger on all lookups in the PTR name space associated with an address +block, DNS administrators can give their servers a hint that these IP +addresses are probably sending junk. + +.. _known_rpz_inconsistency: + +A Known Inconsistency in DNS RPZ's NSDNAME and NSIP Rules +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Response Policy Zones define several possible triggers for each rule, and +among these two are known to produce inconsistent results. This is not a +bug; rather, it relates to inconsistencies in the DNS delegation model. + +DNS Delegation +^^^^^^^^^^^^^^ + +In DNS authority data, an NS RRset that is not at the apex of a DNS zone +creates a sub-zone. That sub-zone’s data is separate from the current (or +"parent") zone, and it can have different authoritative name servers than +the current zone. In this way, the root zone leads to COM, NET, ORG, and so +on, each of which have their own name servers and their own way of managing +their authoritative data. Similarly, ORG has delegations to ISC.ORG and to +millions of other “dot-ORG” zones, each of which can have its own set of +authoritative name servers. In the parlance of the protocol, these NS +RRsets below the apex of a zone are called “delegation points.” An +NS RRset at a delegation point contains a list of authoritative servers +to which the parent zone is delegating authority for all names at or below +the delegation point. + +At the apex of every zone there is also an NS RRset. Ideally, this +so-called “apex NS RRset” should be identical to the “delegation point NS +RRset” in the parent zone, but this ideal is not always achieved. In the +real DNS, it’s almost always easier for a zone administrator to update one +of these NS RRsets than the other, so that one will be correct and the +other out of date. This inconsistency is so common that it’s been +necessarily rendered harmless: domains that are inconsistent in this way +are less reliable and perhaps slower, but they still function as long as +there is some overlap between each of the NS RRsets and the truth. (“Truth” +in this case refers to the actual set of name servers that are +authoritative for the zone.) + +A Quick Review of DNS Iteration +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +In DNS recursive name servers, an incoming query that cannot be answered +from the local cache is sent to the closest known delegation point for the +query name. For example, if a server is looking up XYZZY.ISC.ORG and it +the name servers for ISC.ORG, then it sends the query to those servers +directly; however, if it has never heard of ISC.ORG before, it must first +send the query to the name servers for ORG (or perhaps even to the root +zone that is the parent of ORG). + +When it asks one of the parent name servers, that server will not have an +answer, so it sends a “referral” consisting only of the “delegation point +NS RRset.” Once the server receives this referral, it “iterates” by sending +the same query again, but this time to name servers for a more specific +part of the query name. Eventually this iteration terminates, usually by +getting an answer or a “name error” (NXDOMAIN) from the query name’s +authoritative server, or by encountering some type of server failure. + +When an authoritative server for the query name sends an answer, it has the +option of including a copy of the zone’s apex NS RRset. If this occurs, the +recursive name server caches this NS RRset, replacing the delegation point +NS RRset that it had received during the iteration process. In the parlance +of the DNS, the delegation point NS RRset is “glue,” meaning +non-authoritative data, or more of a hint than a real truth. On the other +hand, the apex NS RRset is authoritative data, coming as it does from the +zone itself, and it is considered more credible than the “glue.” For this +reason, it’s a little bit more important that the apex NS RRset be correct +than that the delegation point NS RRset be correct, since the former will +quickly replace the latter, and will be used more often for a longer total +period of time. + +Importantly, the authoritative name server need not include its apex NS +RRset in any answers, and recursive name servers do not ordinarily query +directly for this RRset. Therefore it is possible for the apex NS RRset to +be completely wrong without any operational ill-effects, since the wrong +data need not be exposed. Of course, if a query comes in for this NS RRset, +most recursive name servers will forward the query to the zone’s authority +servers, since it’s bad form to return “glue” data when asked a specific +question. In these corner cases, bad apex NS RRset data can cause a zone to +become unreachable unpredictably, according to what other queries the +recursive name server has processed. + +There is another kind of “glue," for name servers whose names are below +delegation points. If ORG delegates ISC.ORG to NS-EXT.ISC.ORG, the ORG +server needs to know an address for NS-EXT.ISC.ORG and return this address +as part of the delegation response. However, the name-to-address binding +for this name server is only authoritative inside the ISC.ORG zone; +therefore, the A or AAAA RRset given out with the delegation is +non-authoritative “glue,” which is replaced by an authoritative RRset if +one is seen. As with apex NS RRsets, the real A or AAAA RRset is not +automatically queried for by the recursive name server, but is queried for +if an incoming query asks for this RRset. + +Enter RPZ +^^^^^^^^^ + +RPZ has two trigger types that are intended to allow policy zone authors to +target entire groups of domains based on those domains all being served by +the same DNS servers: NSDNAME and NSIP. The NSDNAME and NSIP rules are +matched against the name and IP address (respectively) of the nameservers +of the zone the answer is in, and all of its parent zones. In its default +configuration, BIND actively fetches any missing NS RRsets and address +records. If, in the process of attempting to resolve the names of all of +these delegated server names, BIND receives a SERVFAIL response for any of +the queries, then it aborts the policy rule evaluation and returns SERVFAIL +for the query. This is technically neither a match nor a non-match of the +rule. + +Every "." in a fully qualified domain name (FQDN) represents a potential +delegation point. When BIND goes searching for parent zone NS RRsets (and, +in the case of NSIP, their accompanying address records), it has to check +every possible delegation point. This can become a problem for some +specialized pseudo-domains, such as some domain name and network reputation +systems, that have many "." characters in the names. It is further +complicated if that system also has non-compliant DNS servers that silently +drop queries for NS and SOA records. This forces BIND to wait for those +queries to time out before it can finish evaluating the policy rule, even +if this takes longer than a reasonable client typically waits for an answer +(delays of over 60 seconds have been observed). + +While both of these cases do involve configurations and/or servers that are +technically "broken," they may still "work" outside of RPZ NSIP and NSDNAME +rules because of redundancy and iteration optimizations. + +There are two RPZ options, ``nsip-wait-recurse`` and ``nsdname-wait-recurse``, +that alter BIND's behavior by allowing it to use only those records that +already exist in the cache when evaluating NSIP and NSDNAME rules, +respectively. + +Therefore NSDNAME and NSIP rules are unreliable. The rules may be matched +against either the apex NS RRset or the "glue" NS RRset, each with their +associated addresses (that also might or might not be "glue"). It’s in the +administrator's interests to discover both the delegation name server names +and addresses, and the apex name server names and authoritative address +records, to ensure correct use of NS and NSIP triggers in RPZ. Even then, +there may be collateral damage to completely unrelated domains that +otherwise "work," just by having NSIP and NSDNAME rules. + +.. _rpz_disable_mozilla_doh: + +Example: Using RPZ to Disable Mozilla DoH-by-Default +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Mozilla announced in September 2019 that they would enable DNS-over-HTTPS +(DoH) for all US-based users of the Firefox browser, sending all their DNS +queries to predefined DoH providers (Cloudflare's 1.1.1.1 service in +particular). This is a concern for some network administrators who do not +want their users' DNS queries to be rerouted unexpectedly. However, +Mozilla provides a mechanism to disable the DoH-by-default setting: +if the Mozilla-owned domain `use-application-dns.net +<https://use-application-dns.net>`_ returns an NXDOMAIN response code, Firefox +will not use DoH. + +To accomplish this using RPZ: + +1. Create a polizy zone file called ``mozilla.rpz.db`` configured so + that NXDOMAIN will be returned for any query to ``use-application-dns.net``: + +:: + + $TTL 604800 + $ORIGIN mozilla.rpz. + @ IN SOA localhost. root.localhost. 1 604800 86400 2419200 604800 + @ IN NS localhost. + use-application-dns.net CNAME . + +2. Add the zone into the BIND configuration (usually :iscman:`named.conf`): + +.. code-block:: c + + zone mozilla.rpz { + type primary; + file "/<PATH_TO>/mozilla.rpz.db"; + allow-query { localhost; }; + }; + +3. Enable use of the Response Policy Zone for all incoming queries + by adding the :any:`response-policy` directive into the ``options {}`` + section: + +.. code-block:: c + + options { + response-policy { zone mozilla.rpz; } break-dnssec yes; + }; + +4. Reload the configuration and test whether the Response Policy + Zone that was just added is in effect: + +.. code-block:: shell-session + + # rndc reload + # dig IN A use-application-dns.net @<IP_ADDRESS_OF_YOUR_RESOLVER> + # dig IN AAAA use-application-dns.net @<IP_ADDRESS_OF_YOUR_RESOLVER> + +The response should return NXDOMAIN instead of the list of IP addresses, +and the BIND 9 log should contain lines like this: + +.. code-block:: none + + 09-Sep-2019 18:50:49.439 client @0x7faf8e004a00 ::1#54175 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz + 09-Sep-2019 18:50:49.439 client @0x7faf8e007800 127.0.0.1#62915 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz + +Note that this is the simplest possible configuration; specific +configurations may be different, especially for administrators who are +already using other response policy zones, or whose servers are configured +with multiple views. |