A DNS zone file that tells recursive resolvers how to handle queries for specific domains—block them, sinkhole them, or redirect them. RPZs let network operators enforce DNS-level policy without touching the authoritative nameservers.
In practice: your ISP, corporate network, or government uses RPZ to intercept queries for domains they want suppressed. A resolver checks the RPZ before answering. Match found? Return the policy response (usually 0.0.0.0 or a sinkhole IP). No match? Continue normal resolution.
Why it matters: RPZs are the infrastructure behind DNS censorship, malware blocking, and copyright enforcement takedowns. They're invisible to end users but not to those watching traffic. A recursive resolver under your control bypasses RPZ policies entirely. Some registries and hosting providers use RPZ-like mechanisms to pre-emptively sink domains flagged for abuse—no court order needed, no transparency.
Related to DNS firewalls, sinkholing, and the broader cat-and-mouse game between censors and circumvention. RPZs are RFC 8112. Technically neutral; politically loaded.