This feature is available on Artica v4.40 Service Pack 25 or above.
With this feature you can use 2 types of RPZ files, a remote file that allows Artica to download rpz files or primary DNS server used for this feature.
The source address of the client is still checked first.
Then the normal resolution process starts and the initial qname as well as any CNAME part of the chain starting from the qname is checked against “QNAME” rules.
“NSDNAME” and “NSIP” rules are still checked during the remaining part of the process, and “Response IP Address” rules are applied to the final records in the end.
This matches the precedence rules from the RPZ specifications that specify that “A policy rule match which occurs at an earlier stage of resolution is preferred to a policy rule match which occurs at a later stage”.
For performance and privacy reasons, the order of evaluation does not strictly follow the one mandated by the RPZ specifications.
In particular matching on the client IP and qname is done first before any processing, NS IP and NS DNAME matching is done when a nameserver is about to be sent a query, and matching on response records is done then a stage of resolution is done.
The RPZ specifications mention that a match on the response record from a higher order RPZ should take precedence on a qname match from a lower one.
Doing so would require delaying evaluation of RPZ policies until the whole resolution process has been completed, which would mean that queries might have been sent to a malicious nameserver already, in addition to performance issues.
- The feature is located under “
DNS” > “PowerDNS system” > “Policies Zones” - Click on “New policy" button
- An RPZ can be loaded from file or transferred from a primary.
Choose if you want Artica to download a rpz file from and HTTP/HTTPS resource or to use a Primary DNS server
- After choosing the type of RPZ the new rule is added on the table.
When choosing “External file”, Artica will check the remote source each 2 hours
Click on it.
- If choosing an external file, set the url, define the rule name and choose the DNS answer when matches a domain that matches the rpz.