Deny DNS Resolution for some specific range
Hi All,
How can I configure in Infoblox DNS so that any client in range 10.120.0.0/26 does not solve any querie for any website, except for the website with IP address 54.77.70.213 for example?
That is, the clients of range 10.120.0.0/26 are only allowed to solve queries for the website 54.77.70.213, any other website that it tries to solve is denied resolution.
I appreciate your help.
Regards,
Paulo Fragoso
Mobile Data Engineering
Answers
-
Ok, this sounds a bit odd, I'm not sure why you are trying to do this, but anyway, you may be able to do it using a view with a match-clients list of 10.120.0.0/26. That's the first part of the equation, but you need to figure out what happens if any other clients query this DNS server, because you may or may not need to configure a second view to catch everything else (else you will end up breaking resolution for all other clients).
Inside this view, you could have one zone defined for the web server name you are trying to resolve. The IP address you mention appears to be part of AWS:
>dig -x 54.77.70.213 +short
ec2-54-77-70-213.eu-west-1.compute.amazonaws.com.So you could either create an authoritative zone for "eu-west-1.compute.amazonaws.com" that just contains this single host entry, or you could create a forwarding zone and forward the query to the AWS name servers.
If you also add a root zone (.) into this view then the server will not try and answer queries for anything else, it will just reply with NXDOMAIN.
This should do what you want.
Regards,
Paul
1 -
Hi Paul Roberts,
Thanks for the answer.
I tested in my lab and it looks like OK.
I created a new View "Paulo_Test_View" and inside a "eu-west-1.compute.amazonaws.com" zone with host record "ec2-54-77-70-213 Host 54.77.70.213". Confirm please if it is correct.
But I have some doubts:
1) When creating the View, is necessary or not to "Enable Recursion" for this case?
2) Within the View test when I added a root zone (.), the "eu-west-1.compute.amazonaws.com" zone disappeared inside the view. Is this behavior normal??
Regards,
Paulo Fragoso0 -
1) It depends what you want to do, dont enable recursion unless you need to
2) That's correct, you can either drill down through the root zone or toggle the flat/hierarchical view
0 -
Hi Paul,
Thanks for your feedback.
I made the configuration as recommended but it is not working. It is possible to open any website, which was not expected.
Maybe something is missing in the configuration to make it work.
If you have any other opinion or suggestion it will be very appreciated.
Regards,
Paulo Fragoso
0 -
View your DNS configuration and cut and paste it here - I'll take a look.
0 -
Hi Paul
As requested below:
View:
header-view name* _new_name comment custom_root_name_servers ddns_principal_group ddns_principal_tracking ddns_restrict_patterns ddns_restrict_patterns_list ddns_restrict_protected ddns_restrict_secure ddns_restrict_static disable dns64_groups enable_blacklist enable_dns64 enable_match_recursive_only filter_aaaa filter_aaaa_list forwarders forwarders_only lame_ttl match_clients match_destinations max_cache_ttl max_ncache_ttl network_view nxdomain_log_query nxdomain_redirect nxdomain_redirect_addresses nxdomain_redirect_ttl nxdomain_rulesets recursion root_name_server_type rpz_drop_ip_rule_enabled rpz_drop_ip_rule_min_prefix_length_ipv4 rpz_drop_ip_rule_min_prefix_length_ipv6 view Test_View FALSE FALSE FALSE 10.144.8.32/28/ALLOW,10.144.10.32/28/ALLOW default FALSE TRUE Zone:
header-authzone,fqdn*,zone_format*,allow_active_dir,allow_query,allow_transfer,allow_update,allow_update_forwarding,comment,create_underscore_zones,ddns_principal_group,ddns_principal_tracking,ddns_restrict_patterns,ddns_restrict_patterns_list,ddns_restrict_protected,ddns_restrict_secure,ddns_restrict_static,disable_forwarding,disabled,external_primaries,external_secondaries,grid_primaries,grid_secondaries,is_multimaster,notify_delay,ns_group,prefix,_new_prefix,soa_default_ttl,soa_email,soa_expire,soa_mnames,soa_negative_ttl,soa_refresh,soa_retry,soa_serial_number,update_forwarding,view,zone_type authzone,eu-west-1.compute.amazonaws.com,FORWARD,,,,,,,False,,,,,,,,False,False,,,,,True,,DNS_Gi_Group,,,,,,,,,,2,,Test_View,Authoritative Zonechilds:
header-hostaddress,address*,_new_address,parent*,boot_file,boot_server,broadcast_address,configure_for_dhcp,configure_for_dns,deny_bootp,domain_name,domain_name_servers,ignore_dhcp_param_request_list,lease_time,mac_address,match_option,network_view,next_server,option_logic_filters,pxe_lease_time,pxe_lease_time_enabled,routers,use_for_ea_inheritance,view header-hostrecord,fqdn*,_new_fqdn,addresses,aliases,cli_credentials,comment,configure_for_dns,_new_configure_for_dns,created_timestamp,creator_member,ddns_protected,disabled,enable_discovery,enable_immediate_discovery,ipv6_addresses,network_view,override_cli_credentials,override_credential,snmpv1v2_credential,snmpv3_credential,ttl,use_snmpv3_credential,view hostrecord,ec2-54-77-70-213.eu-west-1.compute.amazonaws.com,,54.77.70.213,,,,True,,,,False,False,True,False,,default,False,False,,,,False,Test_View hostaddress,54.77.70.213,,ec2-54-77-70-213.eu-west-1.compute.amazonaws.com,,,,False,True,,,,,,,,default,,,,,,True,Test_View Regards,
Paulo Fragoso
0 -
Sorry I was actually after the named.conf file, which you can get by viewing the DNS configuration.
0 -
Hi Paul,
As requested below:
# Test_View
view "6" { # Test_View
match-clients { key DHCP_UPDATER6; !all_dns_views_updater_keys; 10.144.8.32/28; 10.144.10.32/28; };
match-destinations { any; };
recursion yes;
additional-from-cache yes;
infoblox-blacklist-redirect { 41.78.18.146; }; # configuration digest {12da497d2123bbb79ab20e2d532c92f}
lame-ttl 600;
max-cache-ttl 604800;
max-ncache-ttl 10800;
dnssec-enable yes;
dnssec-validation yes;
dnssec-accept-expired no;
filter-aaaa-on-v4 no;
zone "." in {
type hint;
file "named.cache.6";
};
zone "0.0.127.in-addr.arpa" in {
type master;
database infoblox_zdb;
masterfile-format raw;
file "azd/db.0.0.127.in-addr.arpa.6";
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" in {
type master;
database infoblox_zdb;
masterfile-format raw;
file "azd/db.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.6";
};
zone "eu-west-1.compute.amazonaws.com" in { # eu-west-1.compute.amazonaws.com
type master;
database infoblox_zdb;
infoblox-multi-master automatic;
masterfile-format raw;
file "azd/db.eu-west-1.compute.amazonaws.com.6";
notify yes;
};
};# Zone OID composite: 290799
Regards,
Paulo Fragoso
0 -
Hi ,
This has recursion enabled and is expected to resolve all the domains. You may turn off recursion and only records defined in will eu-west-1.compute.amazonaws.com will get answered and all other queries will get a REFUSED response.
Another caveat to this method is that you will get a REFUSED for a query that has a CNAME(if at all there are any) to the eu-west-1.compute.amazonaws.com. and may have to add the once someone reports.
Do you have an RPZ license for this DNS member that is handling this, if so you could try to achieve this using a combination of Block IP address/network in RPZ and a passthrough IP address.
The method that employes the RPZ member is more resources as it checks all the queries.
Hope this helps.
Regards,
Syam.
0 -
Sorry for the tardy response, your root zone is using hints (the default)...
zone "." in {
type hint;
file "named.cache.6";
};If you define the root zone "." in Infoblox and assign a primary name server to it you will answer everything else as NXDOMAIN.
0
Categories
- All Categories
- 5K Forums
- 4.6K Critical Network Services
- 463 Security
- Visibility and Insights
- Ideas Portal
- Webinars & Events
- 265 Resources
- 265 News & Announcements
- Knowledge Base Articles
- Infoblox Documentation Portal
- Infoblox Blog
- Support Portal
- 4 Members Hub
- 4 Getting Started with Community
- Community Support