Manual Chapter : Configuring DNS Response Policy Zones

Applies To:

  • BIG-IP LTM

    21.1.0, 21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

  • BIG-IP DNS

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

back-action BIG-IP DNS Services: Implementations

Updated Date: 05/04/2026

Configuring DNS Response Policy Zones

The BIG-IP system can utilize a domain name service (DNS) response policy zone (RPZ) as a firewall mechanism. An RPZ is a zone that contains a list of known malicious Internet domains. The list includes a resource record set (RRset) for each malicious domain. Each RRset includes the names of the malicious domain and any subdomains of the domain.

When the BIG-IP system receives a DNS query for a domain that is on the malicious domain list of the RPZ, the system responds in one of two ways based on your configuration. You can configure the system to return an NXDOMAIN record that indicates that the domain does not exist.

Alternatively, you can configure the system to return the response that directs the user to a walled garden.

There are a number of vendors that host response policy zones (RPZs). The BIG-IP system supports RPZ vendors. F5 has tested the BIG-IP system with the vendors Spamhaus (http://www.spamhaus.org/organization/dnsblusage/) and SURBL (http://www.surbl.org/df). If you do not want to purchase a subscription from a vendor, you can use ZoneRunner on the BIG-IP system to create a custom RPZ.

Note: ZoneRunner is available only with a BIG-IP DNS license.

Determine the host name and IP address of the BIG-IP system on which you are configuring the RPZ.

Note: These steps can be performed only on a BIG-IP system that is licensed for BIG-IP DNS.

You can create your own RPZ when you do not want to subscribe to an RPZ vendor.

  1. On the Main tab, click DNS > Zones > ZoneRunner > Zone List.

    The Zone List screen opens.

  2. Click Create.

    The New Zone screen opens.

  3. From the View Name list, select external.

    The external view is a default view to which you can assign zones.

  4. In the Zone Name field, type a name for the zone file.

    For example, to replicate the format of Spamhaus and SURBL DSN RPZ names, type rpz.myblacklist.org

  5. From the Zone Type list, select Master.

  6. Clear the Zone File Name field, and type the zone file name.

    db.external.rpz.blacklist.org

  7. In the Options field, add an also-notify statement to ensure that BIND notifies DNS Express when the zone is updated; for example: also-notify { ::1 port 5353; };

  8. In the SOA Record section, type values for the record fields:

    1. In the TTL field, type the default time-to-live (TTL) for the records in the zone.

    2. In the Master Server field, type the name of the BIG-IP DNS on which you are configuring this zone.

  9. In the NS Record section, type values for the record fields:

    1. In the TTL field, type the time-to-live (TTL) for the nameserver record.

    2. In the NameServer field, type the name of the BIG-IP DNS on which you are configuring this zone.

  10. Click Finished.

Add resource records that represent known malicious domains to your custom RPZ.

Determine the names of the known malicious domain names that you want to include in your custom DNS response policy zone (RPZ).

Note: These steps can be performed only on a BIG-IP system that is licensed for BIG-IP DNS.

For each malicious domain that you want to add your custom RPZ, create a resource record for the domain. Additionally, you can add a wildcard resource record to represent all subdomains of the malicious domain.

  1. On the Main tab, click DNS > Zones > ZoneRunner > Zone List.

    The Zone List screen opens.

  2. Click the name of a custom RPZ to which you want to add malicious zone names.

    The Zone Properties screen opens.

  3. Click Add Resource Record.

    The New Resource Record screen opens.

  4. In the Name field, type the name of the malicious domain in front of the RPZ zone name that displays: [zone_name].rpz.myblacklist.org..

    maliciouszone.com.rpz.myblacklist.org. for the domain name or *.maliciouszone.com.rpz.myblacklist.org. for the subdomains.

  5. In the TTL field, type the time-to-live (TTL) for the CNAME record.

  6. From the Type list, select CNAME.

  7. In the CNAME field, type .

  8. Click Finished.

  9. Create additional resource records for each malicious domain that you want to include in your customer RPZ. Remember to create a resource record for the domain and a resource record for the subdomains.

You can now implement your RPZ on the BIG-IP system or on an external name server.

With an RPZ configuration, the BIG-IP system filters DNS queries for domains that are known to be malicious and returns custom responses that direct those queries away from the malicious domain.

Before adding a TSIG key for a DNS server that hosts an RPZ:

  • Ensure that the DNS server is configured to allow the BIG-IP system to perform zone transfers.
  • Ensure that the time on the systems that use TSIG keys are synchronized.
  • Obtain the TSIG key for each DNS server.

Add a TSIG key to the BIG-IP system configuration, when you want to validate zone transfer communications between DNS Express and a DNS server hosting an RPZ.

  1. On the Main tab, click DNS > Delivery > Keys > TSIG Key List.

    The TSIG Key List screen opens.

  2. Click Create.

    The New TSIG Key screen opens.

  3. In the Name field, type the name of the TSIG key.

  4. From the Algorithm list, select the algorithm that was used to generate the key.

  5. In the Secret field, type the TSIG key secret.

  6. Click Finished.

Add the TSIG key to the DNS nameserver that represents the RPZ on the BIG-IP system.

Obtain the IP address of the authoritative DNS server that hosts the DNS response policy zone (RPZ).

When you want to transfer an RPZ from an authoritative DNS server into the DNS Express engine, add a nameserver object that represents the server that hosts the zone.

  1. On the Main tab, click DNS > Delivery > Nameservers.

    The Nameservers List screen opens.

  2. Click Create.

    The New Nameserver screen opens.

  3. In the Name field, type a name for the authoritative DNS server.

  4. In the Address field, type the IP address on which the DNS server listens for DNS messages.

    If the RPZ is hosted on BIND on the BIG-IP system, use the name localhost and the default Address 127.0.0.1 and Service Port 53.

  5. From the TSIG Key list, select the TSIG key that matches the TSIG key on this DNS server.

    The BIG-IP system uses this TSIG key to sign zone transfer requests to the DNS server hosting the zone.

  6. Click Finished.

Create a DNS Express zone and add the nameserver object to the zone.

Before you create the DNS Express zone:

  • Ensure that the authoritative DNS server that currently hosts the DNS response policy zone (RPZ) is configured to allow zone transfers to the BIG-IP system.

  • Ensure a nameserver object that represents that authoritative DNS server exists in the BIG-IP system configuration.

  • Determine the name you want to use for the DNS Express zone. The zone name must match the zone name on the authoritative DNS server exactly.

    Note: Zone names are case insensitive.

Create a DNS Express zone on the BIG-IP system when you want to transfer an RPZ into DNS Express.

  1. On the Main tab, click DNS > Zones.

    The Zone List screen opens.

  2. Click Create.

    The New Zone screen opens.

  3. In the Name field, type the name of the DNS zone.

    The name must begin and end with a letter and contain only letters, numbers, and the period and hyphen (-) characters.

  4. In the DNS Express area, from the Server list, select the authoritative primary DNS server that currently hosts the zone.

    Note: The DNS Express engine requests zone transfers from this server.

  5. Select the Response Policy check box.

  6. Click Finished.

Ensure that the global DNS settings are configured based on your network architecture.

Create a DNS cache on the BIG-IP system when you want to utilize an RPZ to protect your network from known malicious domains.

  1. On the Main tab, click DNS > Caches > Cache List.

    The DNS Cache List screen opens.

  2. Click Create.

    The New DNS Cache screen opens.

  3. In the Name field, type a name for the cache.

  4. From the Resolver Type list, select one of three types:

Option

Description

Resolver

Resolves a DNS request and stores the response in the DNS cache.

Validating Resolver

Resolves a DNS request, verifies the response using a DNSSEC key, and stores the response in the DNS cache.

Transparent (None)

Sends a DNS request to a DNS server for resolution, and stores the response in the DNS cache.
  1. Click Finished.

Ensure that a DNS cache with which you are implementing the RPZ is configured on the BIG-IP system.

Obtain the resource records for the walled garden zone on your network.

When you want the BIG-IP system to redirect DNS queries for known malicious domains to a specific domain, add a local zone that represents a walled garden on your network to the DNS cache you will use to implement an RPZ.

  1. On the Main tab, click DNS > Caches > Cache List.

    The DNS Cache List screen opens.

  2. Click the name of the cache you want to modify.

    The properties screen opens.

  3. On the menu bar, click Local Zones.

    The Local Zones screen opens.

  4. Click the Add button.

  5. In the Name field, type the domain name of the walled garden on your network.

    Note: The domain you enter must be the exact name you want to use for the walled garden. Ensure that you use a zone name that does not match any other resources on your network, for example, walledgarden.siterequest.com.

  6. From the Type list, select Static.

  7. In the Records area, specify a resource record to identify the local zone, including domain name, type, class, TTL, and record data, separated by spaces, and then click Add.

    For example, if the local zone name is walledgarden.siterequest.com, then this is an example of an A record entry: walledgarden.siterequest.com. IN A 10.10.10.124, and this is an example of a AAAA record entry: walledgarden.siterequest.com. IN AAAA 2002:0:1:12:123:c:cd:cdf.

  8. Click Finished.

If you want the BIG-IP system to redirect DNS queries for known malicious domains to a specific location, ensure that you have associated a local zone that represents the RPZ with the DNS cache.

Add an RPZ to a DNS cache on the BIG-IP system when you want to protect your network from known malicious domains.

  1. On the Main tab, click DNS > Caches > Cache List.

    The DNS Cache List screen opens.

  2. Click the name of the cache you just created.

    The properties screen opens.

  3. On the menu bar, click Response Policy Zones.

    The Response Policy Zones screen opens.

  4. Click the Add button.

  5. From the Zone list, select an RPZ.

  6. From the Action list, select an action:

Option Description
NXDOMAIN Resolves a DNS query for a domain listed in the RPZ with an NXDOMAIN response, indicating that the domain does not exist.
Walled Garden Redirects a DNS query for a domain listed in the RPZ to a designated IP address (walled garden), typically hosting a block page or informational portal.
No Data Returns a NODATA response, which indicates that the domain exists but has no records of the requested type.
Pass-through Exempts the response from RPZ policy processing and allows the DNS query to resolve normally.
Drop Drops the DNS query without sending any response to the client.
TCP Only Returns a truncated DNS response, signaling a possible retry over TCP. Primarily used to discourage abuse (e.g., DoS), not to guarantee TCP fallback.
Given Instead of performing a predefined action, inspects the matching RPZ policy entry and executes the action specified there. This may include standard RPZ actions (for example, NXDOMAIN, Walled Garden, NODATA, Passthru, Drop, TCP Only) or returning arbitrary DNS responses (“local data”).
Disabled Disables the RPZ policy rule and processes the DNS query as if no RPZ policy exists.

  1. If you selected the type Walled Garden, from the Walled Garden IP list, select the local zone that represents the walled garden on your network.

  2. Configure the Priority for the RPZ:

    • Each RPZ is assigned a priority value, starting at 0 for the first RPZ.
    • Additional RPZs are automatically assigned increasing priority values (1, 2, 3, and so on).
    • To modify priority manually:
      • Select the RPZ and click Edit, then specify the desired priority value.
      • Alternatively, use the Move Up and Move Down buttons to adjust the RPZ order in the list.

Note: When you update the priority for any feed, the system automatically fills gaps. For example, if there are three feeds with priorities 0, 1, and 2, and you set a feed’s priority to a number higher than the total number of feeds, the system automatically assigns the maximum valid priority based on the number of feeds.

  1. Click Finished.

Ensure that a DNS cache configured with an RPZ exists on the system.

When you want to test how using an RPZ affects your network environment, modify the RPZ by enabling the Logs and Stats Only setting.

  1. On the Main tab, click DNS > Caches > Cache List.

    The DNS Cache List screen opens.

  2. Click the name of the cache you want to modify.

    The properties screen opens.

  3. On the menu bar, click Response Policy Zones.

    The Response Policy Zones screen opens.

  4. Click the name of the RPZ you want to modify.

  5. Select the Logs and Stats Only check box.

    When checked, queries that match a malicious domain in the RPZ list are logged and statistics are created; however, RPZ policies are not enforced. That is, when a DNS query matches a malicious domain in the RPZ list, the system does not return an NXDOMAIN response or redirect the query to a walled garden.

    Warning:

    System performance is affected even when Logs and Stats Only is selected. This is because the system still performs RPZ lookups.

  6. Click Finished.

Ensure that at least one DNS cache exists on the BIG-IP system.

You can create a custom DNS profile to configure the BIG-IP system to cache responses to DNS queries.

  1. On the Main tab, click Local Traffic > Profiles > Services > DNS.

    The DNS profile list screen opens.

  2. Click Create.

    The New DNS Profile screen opens.

  3. In the Name field, type a unique name for the profile.

  4. In the General Properties area, from the Parent Profile list, accept the default dns profile.

  5. Select the Custom check box.

  6. In the DNS Features area, from the DNS Cache list, select Enabled.

    When you enable the DNS Cache option, you must also select a DNS cache from the DNS Cache Name list.

  7. In the DNS Features area, from the DNS Cache Name list, select the DNS cache that you want to associate with this profile.

    You can associate a DNS cache with a profile, even when the DNS Cache option, is Disabled.

  8. Click Finished.

Create listeners to identify the DNS queries that DNS Express handles. When DNS Express is only answering DNS queries, only two listeners are required: one with an IPv4 address that handles UDP traffic and one with an IPv6 address that handles UDP traffic.

However, the best practice is to create four listeners, which allows DNS Express to handle zone transfers, should you decide to use this feature. DNS zone transfers use TCP port 53. With this configuration, you create one listener with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that handles TCP traffic. You also create one listener with an IPv6 address that handles UDP traffic, and one with the same IPv6 address that handles TCP traffic.

Tip: If you have multiple BIG-IP DNS systems in a device group, perform these steps on only one system.

Note: These steps apply only to BIG-IP DNS-provisioned systems.

  1. On the Main tab, click DNS > Delivery > Listeners.

    The Listeners List screen opens.

  2. Click Create.

    The Listeners properties screen opens.

  3. In the Name field, type a unique name for the listener.

  4. For the Destination setting, in the Address field, type an IPv4 address on which the BIG-IP system listens for DNS queries.

  5. From the Listener list, select Advanced.

  6. If you are using SNATs on your network, from the Source Address Translation list, select SNAT.

  7. Optional: If you are using NATs on your network, for the Address Translation setting, select the Enabled check box.

  8. Optional: If you are using port translation on your network, for the Port Translation setting, select the Enabled check box.

  9. In the Service area, from the Protocol list, select UDP.

  10. In the Service area, from the DNS Profile list, select either dns or a custom DNS profile configured for DNS Express.

  11. Click Finished.

Create another listener with the same IPv4 address and configuration, but select TCP from the Protocol list. Then, create two more listeners, configuring both with the same IPv6 address, but one with the UDP protocol and one with the TCP protocol.

Create virtual servers to process the DNS queries that DNS Express handles. When DNS Express is only answering DNS queries, only two virtual servers are required: one with an IPv4 address that handles UDP traffic and one with an IPv6 address that handles UDP traffic.

However, the best practice is to create four listeners, which allows DNS Express to handle zone transfers, should you decide to use this feature. DNS zone transfers use TCP port 53. With this configuration, you create one virtual server with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that handles TCP traffic. You also create one virtual server with an IPv6 address that handles UDP traffic, and one with the same IPv6 address that handles TCP traffic.

Note: These steps apply only to LTM-provisioned systems.

  1. On the Main tab, click Local Traffic > Virtual Servers.

    The Virtual Server List screen opens.

  2. Click Create.

    The New Virtual Server screen opens.

  3. In the Name field, type a unique name for the virtual server.

  4. In the Destination Address/Mask field, type the IP address in CIDR format.

    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.

    Note: The IP address for this field needs to be on the same subnet as the external self-IP.

  5. In the Service Port field, type 53.

  6. From the Protocol list, select UDP.

  7. Optional: If you are using SNATs on your network, from the Source Address Translation list, select SNAT.

  8. Optional: From the SNAT pool list, select the name of an existing SNAT pool.

  9. From the Configuration list, select Advanced.

  10. From the DNS Profile list, select either dns or the custom DNS profile you created for DNS Express.

  11. Click Finished.

Create another virtual server with the same IPv4 address and configuration, but select TCP from the Protocol list. Then, create two more virtual servers, configuring both with the same IPv6 address, but one with the UDP protocol and one with the TCP protocol.

You can view information about DNS zones.

  1. On the Main tab, click Statistics > Module Statistics > DNS > Zones.

    The Zones statistics screen opens.

  2. From the Statistics Type list, select Zones.

    Information displays about the traffic handled by the zones in the list.

  3. In the Details column for a zone, click View.

    Read the online help for an explanation of the statistics.

Ensure that you have created a DNS cache and a DNS profile and have assigned the profile to either an LTM virtual server or a BIG-IP DNS listener.

You can view DNS cache statistics to determine how well a specific cache on the BIG-IP system is performing.

  1. On the Main tab, click Statistics > Module Statistics > DNS > Caches.

    The DNS Caches Status Summary screen opens.

  2. From the Statistics Type list, select Caches.

  3. In the Details column for a cache, click View to display detailed information about the cache.

You can configure an RPZ on the BIG-IP system and allow other nameservers to perform zone transfers of the RPZ.

Warning: DNS Express supports only full zone transfers (AXFRs); therefore, transferring an RPZ from the BIG-IP system to another nameserver creates additional traffic on your internal network.

Ensure that you have created a DNS Express zone for the RPZ.

Enable the DNS Express zone for the RPZ to be a distribution point on your network to allow other nameservers to perform zone transfers of the RPZ.

  1. On the Main tab, click DNS > Zones.

    The Zone List screen opens.

  2. Click the name of the zone you want to modify.

  3. In the Zone Transfer Clients area, move the nameservers that can initiate zone transfers from the Available list to the Active list.

  4. Optional: From the TSIG Key list, select the TSIG key you want the BIG-IP system to use to validate zone transfer traffic.

  5. Click Update.

To enable the BIG-IP system to respond to zone transfer requests for an RPZ zone, create a custom DNS profile.

  1. On the Main tab, click DNS > Delivery > Profiles > DNS.

    The DNS profile list screen opens.

  2. Click Create.

    The New DNS Profile screen opens.

  3. In the General Properties area, name the profile dns_zxfr.

  4. Select the Custom check box.

  5. In the DNS Traffic area, from the Zone Transfer list, select Enabled.

  6. Click Finished.

Determine which DNS nameservers will make zone transfer requests for an RPZ.

Create listeners to alert the BIG-IP system to zone transfer requests for an RPZ.

Note: DNS zone transfers use TCP port 53.

Note: This task applies only to BIG-IP DNS-provisioned systems.

  1. On the Main tab, click DNS > Delivery > Listeners.

    The Listeners List screen opens.

  2. Click Create.

    The Listeners properties screen opens.

  3. In the Name field, type a unique name for the listener.

  4. For the Destination setting, in the Address field, type the IPv4 address on which the BIG-IP system listens for DNS zone transfer requests for a zone hosted on pool of DNS servers.

  5. From the Listener list, select Advanced.

  6. From the VLAN Traffic list, select All VLANs.

  7. If you are using SNATs on your network, from the Source Address Translation list, select SNAT.

  8. Optional: If you are using NATs on your network, for the Address Translation setting, select the Enabled check box.

  9. Optional: If you are using port translation on your network, for the Port Translation setting, select the Enabled check box.

  10. In the Service area, from the Protocol list, select TCP.

  11. In the Service area, from the DNS Profile list, select dns_zxfr (the custom profile you created to enable the BIG-IP system to process zone transfer requests).

  12. Click Repeat.

  13. Create another listener with the same settings, except using a different name and an IPv6 address.

  14. Click Finished.

Determine which DNS nameservers will make zone transfer requests for an RPZ.

Create virtual servers to alert the BIG-IP system to zone transfer requests for a RPZ.

Note: DNS zone transfers use TCP port 53.

Note: This task applies only to LTM-provisioned systems.

  1. On the Main tab, click Local Traffic > Virtual Servers.

    The Virtual Server List screen opens.

  2. Click Create.

    The New Virtual Server screen opens.

  3. In the Name field, type a unique name for the virtual server.

  4. In the Destination Address/Mask field, type the IP address in CIDR format.

    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.

    Note: The IP address for this field needs to be on the same subnet as the external self-IP.

  5. In the Service Port field, type 53.

  6. From the Protocol list, select UDP.

  7. Optional: If you are using SNATs on your network, from the Source Address Translation list, select SNAT.

  8. Optional: From the SNAT pool list, select the name of an existing SNAT pool.

  9. From the Configuration list, select Advanced.

  10. From the DNS Profile list, select the custom DNS profile you created.

  11. Click Finished.

Create another virtual server with the TCP protocol, but use an IPv6 address and configuration.