Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific

Community Suggestions

Reply

Deny DNS Resolution for some specific range

Authority
Posts: 15
11716     0

Hi All,

 

How can I configure in Infoblox DNS so that any client in range 10.120.0.0/26 does not solve any querie for any website, except for the website with IP address 54.77.70.213 for example?
That is, the clients of range 10.120.0.0/26 are only allowed to solve queries for the website 54.77.70.213, any other website that it tries to solve is denied resolution.

 

I appreciate your help.

 

Regards,

Paulo Fragoso

Mobile Data Engineering

Re: Deny DNS Resolution for some specific range

Expert
Posts: 234
11717     0

Ok, this sounds a bit odd, I'm not sure why you are trying to do this, but anyway, you may be able to do it using a view with a match-clients list of 10.120.0.0/26. That's the first part of the equation, but you need to figure out what happens if any other clients query this DNS server, because you may or may not need to configure a second view to catch everything else (else you will end up breaking resolution for all other clients).

 

Inside this view, you could have one zone defined for the web server name you are trying to resolve. The IP address you mention appears to be part of AWS:

 

>dig -x 54.77.70.213 +short
ec2-54-77-70-213.eu-west-1.compute.amazonaws.com.

 

So you could either create an authoritative zone for "eu-west-1.compute.amazonaws.com" that just contains this single host entry, or you could create a forwarding zone and forward the query to the AWS name servers.

 

If you also add a root zone (.) into this view then the server will not try and answer queries for anything else, it will just reply with NXDOMAIN.

 

This should do what you want.

 

Regards,

 

Paul

 

 

 

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Deny DNS Resolution for some specific range

Authority
Posts: 15
11717     0

Hi Paul Roberts,

 

Thanks for the answer.

I tested in my lab and it looks like OK.
I created a new View "Paulo_Test_View" and inside a "eu-west-1.compute.amazonaws.com" zone with host record "ec2-54-77-70-213 Host 54.77.70.213". Confirm please if it is correct.
 
But I have some doubts:

1) When creating the View, is necessary or not to "Enable Recursion" for this case?
2) Within the View test when I added a root zone (.), the "eu-west-1.compute.amazonaws.com" zone disappeared inside the view. Is this behavior normal??

Regards,
Paulo Fragoso

Re: Deny DNS Resolution for some specific range

Expert
Posts: 234
11717     0

1) It depends what you want to do, dont enable recursion unless you need to

2) That's correct, you can either drill down through the root zone or toggle the flat/hierarchical view

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Deny DNS Resolution for some specific range

Authority
Posts: 15
11717     0

Hi Paul,

 

Thanks for your feedback.

I made the configuration as recommended but it is not working. It is possible to open any website, which was not expected.

Maybe something is missing in the configuration to make it work.

If you have any other opinion or suggestion it will be very appreciated.

 

 

Regards,

Paulo Fragoso

 

Re: Deny DNS Resolution for some specific range

Expert
Posts: 234
11717     0

View your DNS configuration and cut and paste it here - I'll take a look.


Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Deny DNS Resolution for some specific range

Authority
Posts: 15
11717     0

Hi Paul

 

As requested below:

 

View:

header-viewname*_new_namecommentcustom_root_name_serversddns_principal_groupddns_principal_trackingddns_restrict_patternsddns_restrict_patterns_listddns_restrict_protectedddns_restrict_secureddns_restrict_staticdisabledns64_groupsenable_blacklistenable_dns64enable_match_recursive_onlyfilter_aaaafilter_aaaa_listforwardersforwarders_onlylame_ttlmatch_clientsmatch_destinationsmax_cache_ttlmax_ncache_ttlnetwork_viewnxdomain_log_querynxdomain_redirectnxdomain_redirect_addressesnxdomain_redirect_ttlnxdomain_rulesetsrecursionroot_name_server_typerpz_drop_ip_rule_enabledrpz_drop_ip_rule_min_prefix_length_ipv4rpz_drop_ip_rule_min_prefix_length_ipv6
viewTest_View         FALSE   FALSE   FALSE 10.144.8.32/28/ALLOW,10.144.10.32/28/ALLOWdefaultFALSE    TRUE        

 

Zone:

 

header-authzone,fqdn*,zone_format*,allow_active_dir,allow_query,allow_transfer,allow_update,allow_update_forwarding,comment,create_underscore_zones,ddns_principal_group,ddns_principal_tracking,ddns_restrict_patterns,ddns_restrict_patterns_list,ddns_restrict_protected,ddns_restrict_secure,ddns_restrict_static,disable_forwarding,disabled,external_primaries,external_secondaries,grid_primaries,grid_secondaries,is_multimaster,notify_delay,ns_group,prefix,_new_prefix,soa_default_ttl,soa_email,soa_expire,soa_mnames,soa_negative_ttl,soa_refresh,soa_retry,soa_serial_number,update_forwarding,view,zone_type
authzone,eu-west-1.compute.amazonaws.com,FORWARD,,,,,,,False,,,,,,,,False,False,,,,,True,,DNS_Gi_Group,,,,,,,,,,2,,Test_View,Authoritative                                                
                                                              

 

Zonechilds:

 

header-hostaddress,address*,_new_address,parent*,boot_file,boot_server,broadcast_address,configure_for_dhcp,configure_for_dns,deny_bootp,domain_name,domain_name_servers,ignore_dhcp_param_request_list,lease_time,mac_address,match_option,network_view,next_server,option_logic_filters,pxe_lease_time,pxe_lease_time_enabled,routers,use_for_ea_inheritance,view
header-hostrecord,fqdn*,_new_fqdn,addresses,aliases,cli_credentials,comment,configure_for_dns,_new_configure_for_dns,created_timestamp,creator_member,ddns_protected,disabled,enable_discovery,enable_immediate_discovery,ipv6_addresses,network_view,override_cli_credentials,override_credential,snmpv1v2_credential,snmpv3_credential,ttl,use_snmpv3_credential,view
hostrecord,ec2-54-77-70-213.eu-west-1.compute.amazonaws.com,,54.77.70.213,,,,True,,,,False,False,True,False,,default,False,False,,,,False,Test_View                       
hostaddress,54.77.70.213,,ec2-54-77-70-213.eu-west-1.compute.amazonaws.com,,,,False,True,,,,,,,,default,,,,,,True,Test_View                         

 

 

Regards,

Paulo Fragoso

 

 

 

Re: Deny DNS Resolution for some specific range

Expert
Posts: 234
11717     0

Sorry I was actually after the named.conf file, which you can get by viewing the DNS configuration.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Deny DNS Resolution for some specific range

Authority
Posts: 15
11717     0

Hi Paul,

 

As requested below:

 

# Test_View
view "6" { # Test_View
match-clients { key DHCP_UPDATER6; !all_dns_views_updater_keys; 10.144.8.32/28; 10.144.10.32/28; };
match-destinations { any; };
recursion yes;
additional-from-cache yes;
infoblox-blacklist-redirect { 41.78.18.146; }; # configuration digest {12da497d2123bbb79ab20e2d532c92f}
lame-ttl 600;
max-cache-ttl 604800;
max-ncache-ttl 10800;
dnssec-enable yes;
dnssec-validation yes;
dnssec-accept-expired no;
filter-aaaa-on-v4 no;
zone "." in {
type hint;
file "named.cache.6";
};
zone "0.0.127.in-addr.arpa" in {
type master;
database infoblox_zdb;
masterfile-format raw;
file "azd/db.0.0.127.in-addr.arpa.6";
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" in {
type master;
database infoblox_zdb;
masterfile-format raw;
file "azd/db.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.6";
};
zone "eu-west-1.compute.amazonaws.com" in { # eu-west-1.compute.amazonaws.com
type master;
database infoblox_zdb;
infoblox-multi-master automatic;
masterfile-format raw;
file "azd/db.eu-west-1.compute.amazonaws.com.6";
notify yes;
};
};

# Zone OID composite: 290799

 

 

Regards,

Paulo Fragoso

Re: Deny DNS Resolution for some specific range

Moderator syam
Moderator
Posts: 66
11717     0

Hi ,

 

This has recursion enabled and is expected to resolve all the domains. You may turn off recursion and only records defined in will eu-west-1.compute.amazonaws.com will get answered and all other queries will get a REFUSED response.

 

Another caveat to this method is that you will get a REFUSED for a query that has a CNAME(if at all there are any) to the eu-west-1.compute.amazonaws.com. and may have to add the once someone reports.

 

Do you have an RPZ license for this DNS member that is handling this, if so you could try to achieve this using a combination of Block IP address/network in RPZ and a passthrough IP address.

 

The method that employes the RPZ member is more resources as it checks all the queries.

 

Hope this helps.

 

Regards,

Syam.

Re: Deny DNS Resolution for some specific range

Expert
Posts: 234
11717     0

Sorry for the tardy response, your root zone is using hints (the default)...

 

zone "." in {
type hint;
file "named.cache.6";
};

 

If you define the root zone "." in Infoblox and assign a primary name server to it you will answer everything else as NXDOMAIN.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Showing results for 
Search instead for 
Do you mean 

Recommended for You