DNS Servers have a built-in mechanism to allow a master DNS server to notify slave servers when there has been a change to the RPZ zone. This notification is issued to the slave servers on UDP port 53 and is called a NOTIFY packet (RFC 1996). Once the NOTIFY packet is received, the slave server will perform an SOA query to the master server and then perform a zone update if required.

Without these notifications, slave servers will only check for updates when the time to live (TTL) for the RPZ zone has expired (currently set to 2 hours). This means that if there are updates to your policy or to your user-defined lists, the changes may not take effect for up to 2 hours. Allowing notifications will ensure that any changes to your RPZ policy will be propagated as soon as they become available on the master DNS server.


To ensure that your DNS servers received the notifications sent by the ThreatSTOP servers, you will need to allow the following traffic:

DNS over UDP (recommended, but optional)

  • Source IP Range:
  • Destination: IP address of your DNS server(s) (IP address registered in the ThreatSTOP device configuration)
  • Inbound UDP port 53 (NOTIFY)

If your DNS server is behind NAT, You might need to enable port forwarding on your firewall to route the notification to your DNS server.