I recently delivered a hands-on tutorial at APRICOT 2025 on Blocking Threats at the DNS Layer: Using Response Policy Zones (RPZ) for Threat Detection & Mitigation. Thanks to CISA, DNS RPZ is now widely recognized under the broader umbrella of Protective DNS.
The goal was to introduce the power of DNS RPZ and demonstrate practical ways to deploy a DNS Firewall for blocking and mitigating threats at the DNS layer.
Figure 1: Swapneel Patnekar delivering a tutorial
While network operators understand the critical nature of DNS infrastructure, few realize that DNS can also serve as a chokepoint—or sinkhole—to disrupt malicious communications.
Aside from the usefulness of DNS RPZ in an enterprise network, DNS RPZ has immense value for a network operator.
Why network operators should leverage DNS RPZ?
One of the persistent challenges for network operators is that IP addresses from their customer networks end up on blocklists. This typically occurs due to malicious traffic (e.g., spam, malware, botnet C2) originating from infected or compromised devices within their network.
The upstream impact of this can be severe:
- The customer is unable to access a particular website/service on the Internet.
Web Application firewalls(WAF) deploy blacklisting/threat intelligence to block access to the website/application
- The Customer is unable to make a payment online
Fraud detection algorithms at payment deploy blocklist/threat intelligence to block access
- An enterprise customer is unable to sending and receive email
IP address assigned to the customer is listed in blocklist database/threat intelligence
A network operator can choose to:
- Block DNS queries to known malicious domains, or
- Redirect them to a sinkhole for analysis or remediation
This helps contain abuse before it results in IP reputation damage. For large-scale operators, contacting individual customers is not scalable.
⚠️ Important Caveat: DNS RPZ is effective only when the communication uses domain names. It does not block direct IP-based malicious communication.
Recommended reading
If you found this blog post useful, you might find APNIC 52 – Threat Hunting using DNS or RPZ Feed list: OSINT Threat Intelligence for DNS Security or Open resolvers in India interesting.