Our computer security incident response team maintain a block list and a pass-through list, plus a denial-of-existence list. Domains may be added to these lists according to our DNS blocking policy.
This page describes how CSIRT manage their lists using the IP Register database.
The CSIRT management zone
To determine who can manage these lists, the CSIRT mzone has the members of CSIRT listed in the mzone_co table.
The CSIRT mzone has three real domains corresponding to the
three lists, block.arpa.cam.ac.uk
, nxdomain.arpa.cam.ac.uk
, and
passthru.arpa.cam.ac.uk
.
It also has two special single-word domains, rpz-block
and
rpz-passthru
, used to create RPZ list entries. Note these
domains have no dots; they are just used as place-holders.
There are no IP subnets in the CSIRT mzone.
RPZ list entries
Each entry in the block list or passthru list is a CNAME. They can be added or removed using the IP Register cname_ops page.
Name
The name determines both which domain the listing applies to, and whether that domain is blocked or passed through.
It is the listed domain concatenated with the name of the list.
Blocked domains
To block
naughty.baddies.example
with a redirect to this web server, the name must benaughty.baddies.example.block.arpa.cam.ac.uk
.Pass-through domains
To un-block
incorrectly.blocked.example
, the name must beincorrectly.blocked.example.passthru.arpa.cam.ac.uk
.Deny existence of domains
To treat
exists.example
as nonexistent, the name must beexists.example.nxdomain.arpa.cam.ac.uk
.
Target
The target of every entry in the block and nxdomain lists should be
rpz-block
, and the target of every entry in the passthru list should berpz-passthru
. These targets must be bare, with no parent domain.(These names are chosen to be brief and informative; although they are related to RPZ policy syntax, the actual policy is fixed by the DNS RPZ mechanism.)
Purpose
The purpose field of a DNS RPZ list entry is published on this web site, to note the reason for the listing.
Remarks
The remarks field is optional and can be used for notes that are not published here.
Search
Use the table_ops page to search for RPZ listings.
Choose cname
from the drop-down menu, and click the switch
button.
Type the partial domain into the name field, using %
as a
wildcard, then click search
.
A list entry can be modified or destroyed using the table_ops page in a similar way to the cname_ops page.