DNS blocks

 

RPZ in IP Register

Our computer security incident response team maintain a block list and a pass-through list, plus a denial-of-existence list. Domains may be added to these lists according to our DNS blocking policy.

This page describes how CSIRT manage their lists using the IP Register database.

The CSIRT management zone

To determine who can manage these lists, the CSIRT mzone has the members of CSIRT listed in the mzone_co table.

The CSIRT mzone has three real domains corresponding to the three lists, block.arpa.cam.ac.uk, nxdomain.arpa.cam.ac.uk, and passthru.arpa.cam.ac.uk.

It also has two special single-word domains, rpz-block and rpz-passthru, used to create RPZ list entries. Note these domains have no dots; they are just used as place-holders.

There are no IP subnets in the CSIRT mzone.

RPZ list entries

Each entry in the block list or passthru list is a CNAME. They can be added or removed using the IP Register cname_ops page.

  • Name

    The name determines both which domain the listing applies to, and whether that domain is blocked or passed through.

    It is the listed domain concatenated with the name of the list.

    • Blocked domains

      To block naughty.baddies.example with a redirect to this web server, the name must be naughty.baddies.example.block.arpa.cam.ac.uk.

    • Pass-through domains

      To un-block incorrectly.blocked.example, the name must be incorrectly.blocked.example.passthru.arpa.cam.ac.uk.

    • Deny existence of domains

      To treat exists.example as nonexistent, the name must be exists.example.nxdomain.arpa.cam.ac.uk.

  • Target

    The target of every entry in the block and nxdomain lists should be rpz-block, and the target of every entry in the passthru list should be rpz-passthru. These targets must be bare, with no parent domain.

    (These names are chosen to be brief and informative; although they are related to RPZ policy syntax, the actual policy is fixed by the DNS RPZ mechanism.)

  • Purpose

    The purpose field of a DNS RPZ list entry is published on this web site, to note the reason for the listing.

  • Remarks

    The remarks field is optional and can be used for notes that are not published here.

Search

Use the table_ops page to search for RPZ listings.

Choose cname from the drop-down menu, and click the switch button.

Type the partial domain into the name field, using % as a wildcard, then click search.

A list entry can be modified or destroyed using the table_ops page in a similar way to the cname_ops page.

Provided by Cambridge University Information Services
Contact: ip-register@uis.cam.ac.uk

This page updated: 2019-09-13 18:06:48

Privacy information
Cookie information

Study at Cambridge

About the University

Research at Cambridge