Implement a Protective DNS service
Learn how to implement and configure a Protective DNS cyber security service within your agency
After you have followed the application steps under ‘Use this service’ on the Protective DNS service page and your application form has been submitted, a cyber security specialist will contact you to finalise your service implementation.
Test your service
Once a specialist has confirmed onboarding is complete, and as an ongoing activity, you can test your implementation to ensure your DNS is protected. The test will display a green shield if protective DNS is enabled, and a red shield if it is not, in which case you can contact the CDC Support Centre at service@citec.com.au for assistance.
Blacklist configuration
Protective DNS can be used to prevent resolution of malicious domain names, usually URLs, by implementing one or more blacklists so that instead of returning the correct response to a query, the DNS server returns an NXDOMAIN (name does not exist), effectively black-holing the malicious host name or domain name. It provides access to a curated list of suspect domains that will be blocked when accessed including; Command & Control, Distribution points, Phishing sites and Malware.
RPZ Blacklist receives threat feeds from (38) various sources of malicious hostnames. These include CITEC-generated, licensed and open source options such as Spamhaus, Auscert, Palo Alto, OpenPhish, AlienVault, URLHaus and many more that are continually being added.
The difference between ‘slaving the zone’ and using CITEC DNS
There are some threat feeds that the Protective DNS service is unable to permit access to slave from our DNS servers due to contractual obligations. When slaving the zone you will receive access to approximately 1.5 million records. When using the WoG Protective DNS service, you will have access to approximately 6-10 million records.
QLD Government agencies are able to slave the rpz.blacklist file (approximately 200MB in size) onto our own DNS servers from a CITEC DNS Server, or simply configure CITEC as their upstream DNS provider.
If you need support, contact the CITEC Service Desk via email at service@citec.com.au and your request will be assessed by a SOC Engineer.
Frequently asked questions
What happens when I visit a site listed in the Protective DNS service Blacklist?
The lookup will return a “NXDOMAIN” - Return name does not exist message.
How do I test if the Protective DNS service is blocking the query?
There are two ways to perform this test:
- Lookup the site internally and verify that you receive a NXDOMAIN.
- Look up the name from a non-Queensland government network (such as your mobile phone) and observe the response.
If my site is blocked, how can I unblock it?
There are two ways to confirm what may be blocking your site and resolve the issue.
- Query a CITEC DNS Server for the associated TXT record (.rpz.blacklist) by typing the following command: nslookup -type=TXT .rpz.blacklist
- Search through your local copy.
If you need additional support, contact CITEC Service Desk.
How do I report false positives or add malicious domains?
Email CITEC Service Desk and your request will be assessed by a SOC Engineer.
CITEC Service Desk
Contact the CITEC Service Desk at service@citec.com.au for Protective DNS related technical support issues.
Cyber Security Unit
Contact the Cyber Security Unit (CSU) at CyberSecurityUnit@qld.gov.au if you need more information about the Protective DNS service.