Many cloud DNS providers including opendns, heimdal, dnsfilter, cloudflare, and quad9 offer dns filtering whereby questions or answers deemed dangerous are answered dishonestly. this constructive dishonesty is a valuable security feature, and one which the US government recommended universally in an announcement in March 2021.
However, managed private networks who use DNS as a control and monitoring point for cybersecurity can’t or won’t push their DNS service into the cloud. For them, a dns firewall called RPZ can be used to publish or subscribe to protective DNS filtering policy, which can be deployed locally using any open source DNS server, or any DNS appliance. in this talk, Dr. Vixie will cover the motives, methods, and context of on-premise protective DNS.