Hi, RPZ is just a simple feature to block/log/redirect DNS requests. It doesn't analyse DNS requests & responses and a client behaviour. So RPZ can block a domain which used for DNS Exfil/Infil/Tunneling but to detect Exfiltration you should to use 3rd party tools/software (e.g. Infoblox Threat Insight). + do not forget that "qname-wait-recurse" should be switched off and a RPZ with such domains must be before (e.g. first) by order any zone which contains IP/NS based rules.
Vadim > On 17 Jun 2018, at 08:43, Blason R <blaso...@gmail.com> wrote: > > Hi Team, > > Can someone please guide if DNS exfiltration techniques can be identified > using DNS RPZ? Or do I need to install any other third party tool like IDS to > identify the the DNS beacon channels. > > Has anyone used DNS RPZ to block/detect data exfiltration? > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users