Document toolboxDocument toolbox

Configuring Rules for RPZs

Owned by Panna .
Jun 20, 2022
26 min read

You can define different RPZ rules to block DNS resolution for malicious or unauthorized hostnames or redirect clients to a walled garden by substituting responses. Depending on the nature of the rule and its usage, each rule is designed to match a hostname, domain name, or IP address, specification or pattern, and an associated action.
These rules are applicable to local RPZs, including FireEye integrated RPZs, except for the RPZ client IP address or network rules which are not applicable for FireEye integrated RPZs. For RPZ feeds, rules are imported from external servers. You cannot change the content of an RPZ feed, but you can override the actions in an RPZ feed.
The RPZ rules are triggered based on the order of the RPZ zones that you have configured. When you configure one or more RPZ rules with the same FQDNs or IP addresses in different RPZ zones, then the RPZ rules in the top-level RPZ zone are triggered first.

Note

If an Infoblox-4030 appliance is already associated with a local RPZ as a Grid primary or a Grid secondary name server, then you cannot configure the client IP address or network rules for that local RPZ, and vice versa. But you can associate an Infoblox-4030 appliance with an RPZ feed, even if the RPZ feed contains client IP address or network rules.


To configure RPZ rules:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, click DNS_View -> Zone and then click Add -> select a Rule.
  2. The rules are classified as follows:
  3. Complete the details in the corresponding editor.
  4. Save the configuration and click Next to define extensible attributes. For information about extensible attributes, see Managing Extensible Attributes.

You cannot define the above rules for an RPZ feed. An RPZ feed uses rules defined by external servers. When you click on an RPZ feed, the appliance displays a dialog box that provides various options to export the rules of the configured external servers in .CSV format.

Managing Passthru Rules

You can define passthru rules if you do not want to modify the actual responses of the recursive queries. The response received for a query is not modified, if there is a matching passthru rule and the actual response is forwarded to the user.

Adding Passthru Rules for Domain Names

To define passthru rules for domains:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Rule -> select Passthru Rule -> Passthru Domain Name Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Rule -> select Passthru Rule -> Passthru Domain Name Rule.
  2. The following fields are displayed in the Add a Passthru Domain Name Rule wizard:
    • Name: Enter the domain name for which you want to define the passthru rule. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Comment: Optionally, enter additional information.
    • Disable: Clear the checkbox to enable the passthru rule. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.

Adding Passthru Rules for IP Addresses or Networks

To define passthru rules for IP addresses or networks:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Rule -> select Passthru Rule -> Passthru IP Address Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Rule -> select Passthru Rule -> Passthru IP Address Rule.
  2. The following fields are displayed in the Add a Passthru IP Address Rule wizard:
    • IP Address or Network: Enter the IP address or specify the address in CIDR format for which you want to define the passthru rule. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Comment: Optionally, enter additional information.
    • Disable: Clear the checkbox to enable the passthru rule. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.

Adding Passthru Rules for Client IP Addresses or Networks

You can define a passthru rule for a client IP address or network, if you do not want to modify the response to a query from a specific client IP address or network and forward the actual response to the client.
To define passthru rules for the client IP addresses or networks:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Rule -> Select Passthru Rule -> Passthru Client IP Address Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Rule -> select Passthru Rule -> Passthru Client IP Address Rule.
  2. The following fields are displayed in the Add a Passthru Client IP Address Rule wizard:
    • Client IP Address or Network: Enter the client IP address or specify the client address in CIDR format for which you want to define the passthru rule. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Comment: Optionally, enter additional information.
    • Disable: Clear the checkbox to enable the passthru rule. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.

Managing Block (No Such Domain) Rules

You can define rules to block certain domain names, IP addresses or networks, or client IP addresses or networks. When you choose this option to block a domain name, the query name is matched with the RPZ rule. If the query name matches the RPZ rule, the DNS client receives a DNS response that indicates the domain does not exist.
When you block an IP address or network using this option, the A and AAAA records are matched with the RPZ rule. If the records match an RPZ rule, the DNS client receives a DNS response that indicates the domain does not exist.
When you choose this option to block a specific client IP address or network, the IP address or network of a client querying the DNS server is matched with the RPZ rule. If the IP address or the network of the client matches the RPZ rule, the DNS client receives a DNS response that indicates the domain does not exist.

Defining Block (No Such Domain) Rules for Domain Names

To define block rules for domains:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Block (No Such Domain) Rule -> Block Domain Name (No Such Domain) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Block (No Such Domain) Rule -> Block Domain Name (No Such Domain) Rule.
  2. The following fields are displayed in the Add a Block Domain Name (No Such Domain) Rule wizard:
    • Name: Enter the domain name which you want to be blocked from being resolved by the DNS. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Comment: Optionally, enter additional information.
    • Disable: Clear the checkbox to enable the record. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.

Defining Block (No Such Domain) Rules for IP Addresses or Networks

To define block rules for IP addresses or networks:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Block (No Such Domain) Rule -> Block IP Address (No Such Domain) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Block (No Such Domain) Rule -> Block IP Address (No Such Domain) Rule.
  2. The following fields are displayed in the Add a Block IP Address (No Such Domain) Rule wizard:
    • IP Address or Network: Enter the IP address or specify the address in CIDR format which you want to block. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Comment: Optionally, enter additional information.
    • Disable: Clear the checkbox to enable the block rule. Select the checkbox to disable it.

3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.

4. Save the configuration.

Defining Block (No Such Domain) Rules for Client IP Addresses or Networks

To define block rules for client IP addresses or networks:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Block (No Such Domain) Rule -> Block Client IP Address (No Such Domain) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Block (No Such Domain) Rule -> Block Client IP Address (No Such Domain) Rule.
  2. The following fields are displayed in the Add a Block Client IP Address (No Such Domain) Rule wizard:
    • Client IP Address or Network: Enter the client IP address or specify the client address in CIDR format which you want to block. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Comment: Optionally, enter additional information.
    • Disable: Clear the checkbox to enable the block rule. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.

Managing Block (No Data) Rules

You can define rules to block certain domain names, IP addresses or networks, or client IP addresses or networks. When you choose this option to block a domain name, the query name is matched with the RPZ rule. If the query name matches the RPZ rule, the DNS client receives a DNS response that indicates there is no data for the requested record type.
When you block an IP address or network using this option, the A and AAAA records are matched with the RPZ rules. If the records match an RPZ rule, the DNS client receives a DNS response that indicates there is no data for the requested record type.
When you choose this option to block a specific client IP address or network, the IP address or network of a client querying the DNS server is matched with the RPZ rule. If the IP address or the network of the client matches the RPZ rule, the DNS client receives a DNS response that indicates there is no data for the requested record type.

Defining Block (No Data) Rules for Domain Names

To define block rules for domains:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Block (No Data) Rule -> Block Domain Name (No Data) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Block (No Data) Rule -> Block Domain Name (No Data) Rule.
  2. The following fields are displayed in the Add a Block Domain Name (No Data) Rule wizard:
    • Name: Enter the domain name which you want to block. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Comment: Optionally, enter additional information.
    • Disable: Clear the checkbox to enable the block rule. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.

Defining Block (No Data) Rules for IP Addresses or Networks

To define block rules for IP addresses or networks:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Block (No Data) Rule -> Block IP address (No Data) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Block (No Data) Rule -> Block IP address (No Data) Rule.
  2. The following fields are displayed in the Add a Block IP Address (No Data) Rule wizard:
    • IP Address or Network: Enter the IP address or specify the address in CIDR format which you want to block. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Comment: Optionally, enter additional information.
    • Disable: Clear the checkbox to enable the block rule. Select the checkbox to disable it.

3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.

4. Save the configuration.

Defining Block (No Data) Rules for Client IP Addresses or Networks

To define block rules for client IP addresses or networks:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Block (No Data) Rule -> Block Client IP address (No Data) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Block (No Data) Rule -> Block Client IP address (No Data) Rule.
  2. The following fields are displayed in the Add a Block Client IP Address (No Data) Rule wizard:
    • Client IP Address or Network: Enter the client IP address or specify the client address in CIDR format which you want to block. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Comment: Optionally, enter additional information.
    • Disable: Clear the checkbox to enable the block rule. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.

Managing Substitute (Domain Name) Rules

You can define an alternate IP address or a domain name to redirect a domain name or an IP address, which is malicious or unauthorized. When the response to the client query matches an RPZ rule, the actual domain name or IP address is substituted with the alternative domain name or IP address. The client will receive the substituted value instead of the actual response.

Note

The domain name and substitute name for which you want to define a substitute rule are not case-sensitive.
For example, if a domain name is "corpxyz.com" and you want to substitute it with "corpxyz.com" or "corpxyz.com," the substitute rule you define becomes a passthru rule because no substitution will occur since "corpxyz.com" is the same as "corpxyz.com" and "corpxyz.com." Grid Manager displays such substitute rule as a passthru rule.

Defining Substitute Domain Name (Based on Domain Name) Rules

To define substitutes for domain names:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Substitute (Domain Name) Rule -> Substitute Domain Name (Domain Name) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Substitute (Domain Name) Rule -> Substitute Domain Name (Domain Name) Rule.
  2. The following fields are displayed in the Add a Substitute (Domain Name) Rule wizard:
    • Name: Enter the domain name for which you want to define a substitute. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Substituted Name: Enter an alternative domain name or IP address that has to be substituted with the actual domain name. Click Select Zone to select a different zone.
    • Comment: Optionally, enter additional information.
    • Disable: Clear the checkbox to enable the substitute rule. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.

Defining Substitute Domain Name (Based on IP address) Rules

To define substitutes for IP addresses:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Substitute (Domain Name) Rule -> Substitute Domain Name (IP Address) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Substitute (Domain Name) Rule -> Substitute Domain Name (IP Address) Rule.
  2. The following fields are displayed in the Add a Substitute Domain Name (IP Address) Rule wizard:
    • IP address or Network: Enter the IP address or network for which you want to define a substitute. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Substituted Name: Enter an alternative domain name or IP address that has to be substituted with the actual IP address. Click Select Zone to select a different zone.
    • Comment: Optionally, enter additional information.
    • Disable: Clear the checkbox to enable the substitute rule. Select the checkbox to disable it.

3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.

4. Save the configuration.

Defining Substitute Domain Name (Based on Client IP address) Rules

You can define a substitute domain name rule for a client IP address if you want to substitute the actual response to a query from the DNS client with an alternate domain name or IP address. When the IP address of the client querying a DNS server matches the RPZ rule, the actual response is substituted with the alternative domain name or IP address specified in the RPZ rule.
To define substitute domain name rule for client IP addresses:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Substitute (Domain Name) Rule -> Substitute Domain Name (Client IP Address) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Substitute (Domain Name) Rule -> Substitute Domain Name (Client IP Address) Rule.
  2. The following fields are displayed in the Add a Substitute Domain Name (Client IP Address) Rule wizard:
    • Client IP address or Network: Enter the client IP address or client network for which you want to define a substitute domain name (client IP address) rule. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Substituted Name: Enter an alternative domain name or IP address that replaces the actual DNS response. Click Select Zone to select a different zone.
    • Comment: Optionally, enter additional information.
    • Disable: Clear the checkbox to enable the substitute rule. Select the checkbox to disable it.

3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.

4. Save the configuration.

Managing Substitute (Record) Rules

You can define a substitute record for a domain name, which is considered malicious. You can define substitutes for the following in a zone:

You can define a substitute for a certain owner name and record type. When you substitute a record for a certain owner name and record type, then responses to queries for that owner name and type are modified to contain the substituted value(s).

Defining Substitutes Rules for A Records

An RPZ A (address) record maps a domain name to a substitute IPv4 address. To define a specific name-to-address mapping, add an A record to a previously defined RPZ.
To define substitute rules for A records:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Substitute (Record) Rule -> Substitute (A Record) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Substitute (Record) Rule -> Substitute (A Record) Rule.
  2. The following fields are displayed in the Add a Substitute (A Record) Rule wizard:
    • Name: Enter the domain name that you want to map to an IP address. The name that you specify, irrespective of the RPZ name, is used to determine a match for the RPZ rule. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • IP Address: Enter the IPv4 address to which you want the domain name to map.
    • Comment: Optionally, enter additional information about the A record.
    • Disable: Clear the checkbox to enable the record. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.

Defining Substitute Rules for AAAA Records

An RPZ AAAA (address) record maps a domain name to a substitute IPv6 address. To define a specific name-to-address mapping, add an RPZ AAAA record to a previously defined RPZ.
To define substitute rules for AAAA records:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Substitute (Record) Rule -> Substitute (AAAA Record) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Substitute (Record) Rule -> Substitute (AAAA Record) Rule.
  2. The following fields are displayed in the Add a Substitute (AAAA Record) Rule wizard:
    • Name: Enter the domain name that you want to map to an IP address. The name that you specify, irrespective of the RPZ name, is used to determine a match with the RPZ rule. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • IP Address: Enter the IPv6 address to which you want the domain name to map.
    • Comment: Optionally, enter additional information about the AAAA record.
    • Disable: Clear the checkbox to enable the record. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.

Defining Substitute Rules for MX Records

An RPZ MX (mail exchanger) record maps a domain name to a mail exchanger. A mail exchanger is a server that either delivers or forwards mail. A wildcard MX record applies to an RPZ and all its subdomains of the owner name.
To define substitute rules for MX records:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Substitute (Record) Rule -> Substitute (MX Record) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Substitute (Record) Rule -> Substitute (MX Record) Rule.
  2. The following fields are displayed in the Add a Substitute (MX Record) Rule wizard:
    • Mail Destination: Enter the owner name of the MX record you want to substitute.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Host Name Policy: Displays the hostname policy of the selected zone. Ensure that the hostname you enter complies with the hostname restriction policy defined for the zone.
    • Mail Exchanger: Enter the fully qualified domain name of the mail exchanger.
    • Preference: Select an integer from 10 to 100. The preference determines the order in which a client attempts to contact the target mail exchanger.
    • Comment: Optionally, enter additional information about the MX record.
    • Disable: Clear the checkbox to enable the record. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.

Defining Substitute Rules for NAPTR Records

A DNS NAPTR object represents a Naming Authority Pointer (NAPTR) resource record. This resource record specifies a regular expression-based rewrite rule that, when applied to an existing string, produces a new RPZ name or URI.
To define substitute rules for NAPTR records:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Substitute (Record) Rule -> Substitute (NAPTR Record) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Substitute (Record) Rule -> Substitute (NAPTR Record) Rule.
  2. The following fields are displayed in the Add a Substitute (NAPTR Record) Rule wizard:
    • Domain: Enter the domain name to which this resource record refers. Make sure that you enter a valid FQDN. Example: test.com, foo.com, etc. The name that you specify, irrespective of the RPZ name, is used to determine a match with the RPZ rule. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Service: Select a service from the drop-down list. This field specifies the service and protocol that are used to communicate with the host at the domain name.
    • Flags: The Flag field indicates whether the current lookup is terminal; that is, the current NAPTR record is the last NAPTR record for the lookup. It also provides information about the next step in the lookup process. The flags that are currently used are:
      • U: Indicates that the output maps to a URI (Uniform Record Identifier).
      • S: Indicates that the output is a domain name that has at least one SRV record. The DNS client must then send a query for the SRV record of the resulting domain name.
      • A: Indicates that the output is a domain name that has at least one A or AAAA record. The DNS client must then send a query for the A or AAAA record of the resulting domain name.
      • P: Indicates that the protocol specified in the Service field defines the next step or phase.
    • Order: Select an Integer from 10 to 100, or enter a value from 0 to 65535. This value indicates the order in which the NAPTR records must be processed. It processes the record with the lowest value first.
    • Preference: Select an Integer from 10 to 100, or enter a value from 0 to 65535. Similar to the Preference field in MX records, this value indicates which NAPTR record the DNS client should process first when the records have the same Order values. It processes the record with the lowest value first.
    • REGEX: The regular expression that is used to rewrite the original string from the client into a domain name. RFC 2915 specifies the syntax of the regular expression. Note that the appliance validates the regular expression syntax between the first and second delimiter against the Python re module, which is not 100% compatible with POSIX Extended Regular Expression as specified in the RFC. For information about the Python re module, refer to http://docs.python.org/release/2.5.1/lib/module-re.html.
    • Replacement: This specifies the domain name for the next lookup. The default is a dot (.), which indicates that the regular expression in the REGEX field provides the replacement value. Alternatively, you can enter the replacement value in FQDN format.
    • Comment: Optionally, enter additional information about the NAPTR record.
    • Disable: Clear the checkbox to enable the record. Select the checkbox to disable it.

3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.

4. Save the configuration.

Defining Substitute Rules for PTR Records

In a forward-mapping zone, a PTR (pointer) record maps a domain name to another domain name. In an RPZ, a PTR (pointer) record maps an address to a domain name. To define a specific address-to-name mapping, add an RPZ PTR record to a previously defined RPZ.
To define substitute rules for PTR records:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Substitute (Record) Rule -> Substitute (PTR Record) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Substitute (Record) Rule -> Substitute (PTR Record) Rule.
  2. The following fields are displayed in the Add a Substitute (PTR Record) Rule wizard: You can select either Name or IP address from the drop-down list.
    • Name: Enter a domain name for which you want to create a pointer to another domain. The name that you specify, irrespective of the RPZ name, is used to determine a match with the RPZ rule. Click Select Zone to select a different zone. The name should be in the following format for RPZ:

ipaddress.in-addr.arpa.
Note that the IP address should be in the reverse format. For example, if the IP address is 10.2.1.4, then the name format for RPZ is 4.1.2.10.in-addr.arpa. The following fields are displayed when you select Name from the drop-down list:

      • DNS View: Displays the DNS view to which the selected RPZ belongs.
      • Domain Name: Enter the domain name to which you want the PTR record to point. Make sure that you enter a valid FQDN. Example: test.com, foo.com, etc.
    • IP Address: Enter an IP address for which you want to create a pointer to a domain. The following fields are displayed when you select IP Address from the drop-down list:
      • Zone: Displays the RPZ you have selected. Click Select Zone to select a different zone.
      • DNS View: Displays the DNS view to which the selected RPZ belongs.
      • Domain Name: Enter the domain name to which you want the PTR record to point. Make sure that you enter a valid FQDN. Example: test.com, foo.com, etc.
    • Comment: Optionally, enter additional information about the PTR record.
    • Disable: Clear the checkbox to enable the record. Select the checkbox to disable it.

3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.

4. Save the configuration.

Defining Substitute Rules for SRV Records

A DNS RPZ SRV object represents an SRV resource record, which is also known as a service record. You can define a substitute for an SRV record. When the response to a user's query matches with an RPZ rule, then the combination of actual service, protocol, domain name and the zone is substituted with a combination of priority, weight, port and target details that you specify.
To define substitute rules for SRV records:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Substitute (Record) Rule -> Substitute (SRV Record) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Substitute (Record) Rule -> Substitute (SRV Record) Rule.
  2. The following fields are displayed in the Add a Substitute (SRV Record) Rule wizard:
    • Display input as: Select the format in which you want the SRV record to be displayed. When you select RFC 2782 format, the appliance follows the _service._protocol.name format as defined in RFC 2782. When you select Free format, enter the entire name in the Domain field.
    • Service: Specify the service that the host provides. You can either select a service from the list or type in a service, if it is not on the list. For example, if you are creating a record for a host that provides FTP service, select _ftp. To distinguish the service name labels from the domain name, the service name is prefixed with an underscore. If the name of the service is defined in RFC 1700, Assigned Numbers, use that name. Otherwise, you can use a locally-defined name. This field is disabled when you select Free Format as the display input.
    • Protocol: Specify the protocol that the host uses. You can either select a protocol from the list or type in a protocol, if it is not on the list. For example, if it uses TCP, select _tcp. To distinguish the protocol name labels from the domain name, the protocol name is prefixed with an underscore. This field is disabled when you select Free Format as the display input.
    • Domain: If Grid Manager displays a zone name, enter the name here to define an SRV record for a host or subdomain. The displayed zone name can either be the last selected zone or the zone from which you are adding the SRV record. If no zone name is displayed or if you want to specify a different zone, click Select Zone. When there are multiple zones, Grid Manager displays the Zone Selector dialog box. Click a zone name in the dialog box, and then enter the name to define the SRV record. The SRV record name is used to determine the substitute.
    • Preview: After you enter all the information, this field displays the FQDN.
    • DNSView: Displays the DNS view to which the selected RPZ belongs.
    • Priority: Select or enter an integer from 0 to 65535. The priority determines the order in which a client attempts to contact the target host; the domain name host with the lowest number has the highest priority and is queried first. Target hosts with the same priority are attempted in the order defined in the Weight field.
    • Weight: Select or enter an integer from 0 to 65535. The weight allows you to distribute the load between target hosts. The higher the number, the more that host handles the load (compared to other target hosts). Larger weights give a target host a proportionately higher probability of being selected.
    • Port: Specify the appropriate port number for the service running on the target host. You can use standard or nonstandard port numbers, depending on the requirements of your network. You can select a port number from the list or enter an integer from 0 to 65535.
    • Target: Enter the canonical domain name of the host (not an alias); for example, www2.corpxyz.com.
    • Comment: Optionally, enter additional information about the SRV record.
    • Disable: Clear the checkbox to enable the record. Select the checkbox to disable it.

3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.

4. Save the configuration.

Defining Substitute Rules for TXT Records

A TXT (text) record contains supplemental information for a host. SPF (Sender Policy Framework) records are specialized RPZ TXT records that identify the servers that send mail from a domain.
To define substitute rules for TXT records:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Substitute (Record) Rule -> Substitute (TXT Record) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Substitute (Record) Rule -> Substitute (TXT Record) Rule.
  2. The following fields are displayed in the Add a Substitute (TXT Record) Rule wizard:
    • Name: Enter the name to define a TXT record for a host or subdomain. The name that you specify, irrespective of the RPZ name, is used to determine a match with the RPZ rule. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Text: Enter the text that you want to associate with the record. It can contain substrings of up to 255 bytes, up to a total of 512 bytes. Additionally, if you enter leading, trailing, or embedded spaces in the text, add quotes around the text to preserve the spaces. For example: " v=spf1 include:corp200.com -all ".
    • Comment: Optionally, enter additional information about the TXT record.
    • Disable: Clear the checkbox to enable the record. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.

Defining Substitute Rules for IPv4 Addresses or Networks

You can define a substitute for an IPv4 address or a network address. When a client queries for A records of a domain name, if the IP address in A records in the response match the specified address or network, then the response is modified to instead contain the substituted address.
To define substitute rules for IPv4 addresses or networks:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Substitute (Record) Rule -> Substitute (IPv4 Address) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Substitute (Record) Rule -> Substitute (IPv4 Address) Rule.
  2. The following fields are displayed in the Add a Substitute (IPv4 Address) Rule wizard:

    • IP Address or Network: Enter the IPv4 address which you want to substitute with another IPv4 address. Click Select Zone to select a different zone.

      Note

      You cannot define a substitute rule for the same IP address or a network address for which you have already defined a passthru rule.

    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Substituted IP Address: Enter the IPv4 address that must be returned to the user when the response matches the A records.
    • Comment: Optionally, enter additional information about the IPv4 address.
    • Disable: Clear the checkbox to enable the record. Select the checkbox to disable it.

3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.

4. Save the configuration.

Defining Substitute Rules for IPv6 Addresses or Networks

You can restrict access to specific IPv6 addresses or networks by providing a substitute IP address. When a client queries for AAAA records of a domain name if the IP addresses in AAAA records in the response match the specified address or network, then the response is modified to instead contain the substituted address.
To define substitute rules for IPv6 addresses or networks:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, select DNS_View -> Zone, and then click Add -> select Substitute (Record) Rule -> Substitute (IPv6 Address) Rule.
    or
    From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then select a zone. Expand the Toolbar, click Add -> select Substitute (Record) Rule -> Substitute (IPv6 Address) Rule.
  2. The following fields are displayed in the Add a Substitute (IPv6 Address) Rule wizard:
    • IP Address or Network: Enter the IPv6 address or the network address which you want to substitute with another IP address. Click Select Zone to select a different zone.
    • DNS View: Displays the DNS view to which the selected RPZ belongs.
    • Policy: Displays the selected policy.
    • Substituted IP Address: Enter the IPv6 address that must be returned to the user when the response matches the AAAA records.
    • Comment: Optionally, enter additional information about the IPv6 address.
    • Disable: Clear the checkbox to enable the record. Select the checkbox to disable it.
  3. Click Next to define extensible attributes. For information, see Managing Extensible Attributes.
  4. Save the configuration.