While security professionals can and do block access to domains that are known to cause harm, this has so far only been possible once the harm has been identified. And that's too late - the harm is already done. The criminals who use these techniques are now registering domains by the thousand in order to circumvent such blocks, "paying" for them with stolen credit cards and using each domain for a very small number of attacks.

The Spamhaus DBL was launched in 2010 as a way to identify these domains very rapidly so that network administrators can block them in advance. But even so, there has so far been no way to provide this protection automatically.

Now, Response Policy Zones (RPZs) allow DNS administrators selectively to block the DNS resolution of sites. The bad domains or hosts will then simply disappear from that network's view of the Internet - and the malware will no longer be able to reach that network.

Spamhaus' Domain Block List (DBL) contains tens of thousands of domains known to be suspect. The DBL already is being updated with new threats every sixty seconds of every day. By making this list of bad domains available as an RPZ, Spamhaus and their technical collaborators (Deteque and ISC) are giving security administrators an additional tool which they can use to protect their network from the inadvertent actions of unsuspecting users.

This data is updated very rapidly by broadcasting only changes to the list rather than the full list. This means that the frequent updates generally take less than a second to propagate, effectively mitigating threats in near real time.

Spamhaus' DBL RPZ is now available for beta testing. A BIND server (version 9.8.0+) is needed to utilise this feature and at this time networks will need to contact Spamhaus <rpz-data@spamhaus.org> to register their BIND server to use this RPZ.

For further information see:

DNS Response Policy Zones <https://dnsrpz.info/>
Spamhaus Domain Blocklist <http://www.spamhaus.org/dbl>
Taking Back the DNS <http://www.circleid.com/posts/20100728_taking_back_the_dns/>
RPZ FAQ (PDF. 38KB) <http://www.spamhaus.org/faq/RPZ.FAQ.20110602.pdf>
Response Policy Zone - History, Usage and Research (PDF. 180KB) <http://www.spamhaus.org/whitepapers/RPZ-History-Usage-Research.pdf>
Cisco: Using DNS RPZ to block malicious DNS requests <http://blogs.cisco.com/security/using-dns-rpz-to-block-malicious-dns-requests/>
Internet Identity: Happy Birthday RPZ <http://www.internetidentity.com/blog/happy-birthday-rpz/>
Imperial College of London: What are DNS Response Policy Zones? <http://www3.imperial.ac.uk/ict/services/security/securityservices/rpz>
 

Update 2014-10-31
We're happy to announce that the Spamhaus RPZs have proved their worth in a number of production environments. As such, the beta test period is over. To trial the service, please visit https://www.spamhaustech.com/pricing/ selecting the appropriate service(s).