You can import local RPZs (Response Policy Zones) and their rulesets using the CSV Import feature. When you import local RPZs using this feature, you must specify three new columns, priority, rpz_policy, and substitute_name with relevant values, whereas importing an RPZ ruleset requires specifying the value for parent RPZ in the parent_zone column, as mentioned in the following tables. For a local RPZ, CSV import supports all the values that are listed in Authoritative Zone along with the three new columns. However, for RPZ rulesets it supports the values that are listed in CNAME Record along with a new column parent_zone.
For example, if you want to add a new local RPZ, JKL.INFO and substitute this domain with JKI.NET, then you must mention the priority, rpz_policy, and substitute name as follows:
.
A | B | C | D | E | F | G | H | I |
|---|---|---|---|---|---|---|---|---|
HEADER- RESPONSEPOLICYZONE | FQDN* | ZONE_ FORMAT* | ALLOW_UPDATE | PRIORITY | RPZ_POLICY | SUBSTITUTE | VIEW | ZONE_TYPE |
RESPONSEPOLICYZONE | ABC.NET | FORWARD | TSIG-RPZ_LOCAL_UP | 1001 | GIVEN | DEFAULT | RESPONSEPOLICY | |
RESPONSEPOLICYZONE | XYZ.IN | FORWARD | TSIG-RPZ_LOCAL_UP | 1002 | NXDOMAIN | DEFAULT | RESPONSEPOLICY | |
RESPONSEPOLICYZONE | AIM.EDU | FORWARD | TSIG-RPZ_LOCAL_UP | 1003 | NODATA | DEFAULT | RESPONSEPOLICY | |
RESPONSEPOLICYZONE | PQDR.C OM | FORWARD | TSIG-RPZ_LOCAL_UP | 1004 | PASSTHRU | DEFAULT | RESPONSEPOLICY | |
RESPONSEPOLICYZONE | JKL.INFO | FORWARD | TSIG-RPZ_LOCAL_UP | 1005 | SUBSTITUTE | JKI.NET | DEFAULT | RESPONSEPOLICY |
RESPONSEPOLICYZONE | ASAC.CO M | FORWARD | TSIG-RPZ_LOCAL_UP | 1006 | DISABLED | DEFAULT | RESPONSEPOLICY |
Examples of Substitute and Block Domain Names:
The following example shows a new column, parent_zone, which is added to the spreadsheet while importing an RPZ ruleset to a local RPZ abc.net:
A | B | C | D | E | F |
|---|---|---|---|---|---|
HEADER- RESPONSEPOLICYCNAMERECORD | FQDN* | CANONICAL_NAME | DISABLED | PARENT_ZONE | VIEW |
RESPONSEPOLICYCNAMERECORD | CLARITY.ABC.NET | CLEAR.IN | FALSE | ABC.NET | DEFAULT |
RESPONSEPOLICYCNAMERECORD | ARM.ABC.NET | FALSE | ABC.NET | DEFAULT |
Example of an A Record CSV format:
A | B | C | D | E | F |
|---|---|---|---|---|---|
HEADER- RESPONSEPOLICYARECORD | ADDRESS* | FQDN* | DISABLED | PARENT_ZONE | VIEW |
RESPONSEPOLICYCNAMERECORD | 10.32.2.1 | PQR.ABC.NET | FALSE | ABC.NET | DEFAULT |
Example of an RPZ Policy IP Address:
A | B | C | D | E | F |
|---|---|---|---|---|---|
HEADER- RESPONSEPOLICYIPADDRESS | FQDN* | CANONICAL_NAME | DISABLED | PARENT_ZONE | VIEW |
RESPONSEPOLICYIPADDRESS | 10.1.2.3.ABC.NET | 10.1.2.3 | FALSE | ABC.NET | DEFAULT |
Example of an RPZ Policy Client IP Address:
A | B | C | D | E | F |
|---|---|---|---|---|---|
HEADER- RESPONSEPOLICYCLIENTIPADDRESS | FQDN* | CANONICAL_NAME | DISABLED | PARENT_ZONE | VIEW |
RESPONSEPOLICYCLIENTIPADDRESS | 10.1.2.1.ABC.NET | 10.1.2.1 | FALSE | ABC.NET | DEFAULT |
Note the following:
- You must specify the name of the parent zone when you import RPZ rules to a local zone. For example, clarity.abc.net where abc.net is the local RPZ.
- In the above example, the domain name clarity.abc.net is substituted with the domain name clear.in because clear.in is specified as the canonical name.
- The domain arm.abc.net is blocked and the DNS client receives a message that the domain does not exist. For more information about RPZ rules, refer to the Infoblox NIOS Administrator Guide.