Deny DNS Resolution for some specific range

PauloFrag

Hi All,

 

How can I configure in Infoblox DNS so that any client in range 10.120.0.0/26 does not solve any querie for any website, except for the website with IP address 54.77.70.213 for example?
That is, the clients of range 10.120.0.0/26 are only allowed to solve queries for the website 54.77.70.213, any other website that it tries to solve is denied resolution.

 

I appreciate your help.

 

Regards,

Paulo Fragoso

Mobile Data Engineering

paulr

Ok, this sounds a bit odd, I'm not sure why you are trying to do this, but anyway, you may be able to do it using a view with a match-clients list of 10.120.0.0/26. That's the first part of the equation, but you need to figure out what happens if any other clients query this DNS server, because you may or may not need to configure a second view to catch everything else (else you will end up breaking resolution for all other clients).

 

Inside this view, you could have one zone defined for the web server name you are trying to resolve. The IP address you mention appears to be part of AWS:

 

>dig -x 54.77.70.213 +short
ec2-54-77-70-213.eu-west-1.compute.amazonaws.com.

 

So you could either create an authoritative zone for "eu-west-1.compute.amazonaws.com" that just contains this single host entry, or you could create a forwarding zone and forward the query to the AWS name servers.

 

If you also add a root zone (.) into this view then the server will not try and answer queries for anything else, it will just reply with NXDOMAIN.

 

This should do what you want.

 

Regards,

 

Paul

 

 

 

PauloFrag

Hi Paul Roberts,

 

Thanks for the answer.

I tested in my lab and it looks like OK.
I created a new View "Paulo_Test_View" and inside a "eu-west-1.compute.amazonaws.com" zone with host record "ec2-54-77-70-213 Host 54.77.70.213". Confirm please if it is correct.
 
But I have some doubts:

1) When creating the View, is necessary or not to "Enable Recursion" for this case?
2) Within the View test when I added a root zone (.), the "eu-west-1.compute.amazonaws.com" zone disappeared inside the view. Is this behavior normal??

Regards,
Paulo Fragoso

paulr

1) It depends what you want to do, dont enable recursion unless you need to

2) That's correct, you can either drill down through the root zone or toggle the flat/hierarchical view

PauloFrag

Hi Paul,

 

Thanks for your feedback.

I made the configuration as recommended but it is not working. It is possible to open any website, which was not expected.

Maybe something is missing in the configuration to make it work.

If you have any other opinion or suggestion it will be very appreciated.

 

 

Regards,

Paulo Fragoso

 

paulr

View your DNS configuration and cut and paste it here - I'll take a look.

---

PauloFrag

Hi Paul

 

As requested below:

 

View:

header-view

name*

_new_name

comment

custom_root_name_servers

ddns_principal_group

ddns_principal_tracking

ddns_restrict_patterns

ddns_restrict_patterns_list

ddns_restrict_protected

ddns_restrict_secure

ddns_restrict_static

disable

dns64_groups

enable_blacklist

enable_dns64

enable_match_recursive_only

filter_aaaa

filter_aaaa_list

forwarders

forwarders_only

lame_ttl

match_clients

match_destinations

max_cache_ttl

max_ncache_ttl

network_view

nxdomain_log_query

nxdomain_redirect

nxdomain_redirect_addresses

nxdomain_redirect_ttl

nxdomain_rulesets

recursion

root_name_server_type

rpz_drop_ip_rule_enabled

rpz_drop_ip_rule_min_prefix_length_ipv4

rpz_drop_ip_rule_min_prefix_length_ipv6

view

Test_View

FALSE

FALSE

FALSE

10.144.8.32/28/ALLOW,10.144.10.32/28/ALLOW

default

FALSE

TRUE

 

Zone:

 

header-authzone,fqdn*,zone_format*,allow_active_dir,allow_query,allow_transfer,allow_update,allow_update_forwarding,comment,create_underscore_zones,ddns_principal_group,ddns_principal_tracking,ddns_restrict_patterns,ddns_restrict_patterns_list,ddns_restrict_protected,ddns_restrict_secure,ddns_restrict_static,disable_forwarding,disabled,external_primaries,external_secondaries,grid_primaries,grid_secondaries,is_multimaster,notify_delay,ns_group,prefix,_new_prefix,soa_default_ttl,soa_email,soa_expire,soa_mnames,soa_negative_ttl,soa_refresh,soa_retry,soa_serial_number,update_forwarding,view,zone_type

authzone,eu-west-1.compute.amazonaws.com,FORWARD,,,,,,,False,,,,,,,,False,False,,,,,True,,DNS_Gi_Group,,,,,,,,,,2,,Test_View,Authoritative

 

Zonechilds:

 

header-hostaddress,address*,_new_address,parent*,boot_file,boot_server,broadcast_address,configure_for_dhcp,configure_for_dns,deny_bootp,domain_name,domain_name_servers,ignore_dhcp_param_request_list,lease_time,mac_address,match_option,network_view,next_server,option_logic_filters,pxe_lease_time,pxe_lease_time_enabled,routers,use_for_ea_inheritance,view

header-hostrecord,fqdn*,_new_fqdn,addresses,aliases,cli_credentials,comment,configure_for_dns,_new_configure_for_dns,created_timestamp,creator_member,ddns_protected,disabled,enable_discovery,enable_immediate_discovery,ipv6_addresses,network_view,override_cli_credentials,override_credential,snmpv1v2_credential,snmpv3_credential,ttl,use_snmpv3_credential,view

hostrecord,ec2-54-77-70-213.eu-west-1.compute.amazonaws.com,,54.77.70.213,,,,True,,,,False,False,True,False,,default,False,False,,,,False,Test_View

hostaddress,54.77.70.213,,ec2-54-77-70-213.eu-west-1.compute.amazonaws.com,,,,False,True,,,,,,,,default,,,,,,True,Test_View

 

 

Regards,

Paulo Fragoso

 

 

 

paulr

Sorry I was actually after the named.conf file, which you can get by viewing the DNS configuration.

PauloFrag

Hi Paul,

 

As requested below:

 

# Test_View
view "6" { # Test_View
match-clients { key DHCP_UPDATER6; !all_dns_views_updater_keys; 10.144.8.32/28; 10.144.10.32/28; };
match-destinations { any; };
recursion yes;
additional-from-cache yes;
infoblox-blacklist-redirect { 41.78.18.146; }; # configuration digest {12da497d2123bbb79ab20e2d532c92f}
lame-ttl 600;
max-cache-ttl 604800;
max-ncache-ttl 10800;
dnssec-enable yes;
dnssec-validation yes;
dnssec-accept-expired no;
filter-aaaa-on-v4 no;
zone "." in {
type hint;
file "named.cache.6";
};
zone "0.0.127.in-addr.arpa" in {
type master;
database infoblox_zdb;
masterfile-format raw;
file "azd/db.0.0.127.in-addr.arpa.6";
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" in {
type master;
database infoblox_zdb;
masterfile-format raw;
file "azd/db.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.6";
};
zone "eu-west-1.compute.amazonaws.com" in { # eu-west-1.compute.amazonaws.com
type master;
database infoblox_zdb;
infoblox-multi-master automatic;
masterfile-format raw;
file "azd/db.eu-west-1.compute.amazonaws.com.6";
notify yes;
};
};

# Zone OID composite: 290799

 

 

Regards,

Paulo Fragoso

syam

Hi ,

 

This has recursion enabled and is expected to resolve all the domains. You may turn off recursion and only records defined in will eu-west-1.compute.amazonaws.com will get answered and all other queries will get a REFUSED response.

 

Another caveat to this method is that you will get a REFUSED for a query that has a CNAME(if at all there are any) to the eu-west-1.compute.amazonaws.com. and may have to add the once someone reports.

 

Do you have an RPZ license for this DNS member that is handling this, if so you could try to achieve this using a combination of Block IP address/network in RPZ and a passthrough IP address.

 

The method that employes the RPZ member is more resources as it checks all the queries.

 

Hope this helps.

 

Regards,

Syam.

paulr

Sorry for the tardy response, your root zone is using hints (the default)...

 

zone "." in {
type hint;
file "named.cache.6";
};

 

If you define the root zone "." in Infoblox and assign a primary name server to it you will answer everything else as NXDOMAIN.

miladenaa

I made the configuration as recommended but it is not working. It is possible to open any website, which was not expected.