Reply
Highlighted

How to test with RPZ?

TSun
Techie
Posts: 11
11697     0

Hi, 

 

I'm new to use RPZ in Infoblox NIOS 7.0, I've used Blacklist Rulesets before, so I thought it is similar to use RPZ for my bad domains. 

 

The way I test with Blacklist Ruleset is to make a machine use the DNS local server in Infoblox, and it works. However in the same way, I'm not able to test with the RPZ zone I created, which including some rules in it.

 

Anyone can help me with it? I really appreciate it.

Re: How to test with RPZ?

Jamison_Utter
Techie
Posts: 11
11698     0

The easiest test is to format a list of bad (or suspected bad) domains into a text file. Imagine a list like this:

Bad.com

thief.com

suspect.org

 

Then feed that file into dig using the -f (for file flag). If your using windows you can get dig from the bind toolkit, otherwise it should be availible from a Mac terminal or Linux terminal. 

 

Does that help?


@TSun wrote:

Hi, 

 

I'm new to use RPZ in Infoblox NIOS 7.0, I've used Blacklist Rulesets before, so I thought it is similar to use RPZ for my bad domains. 

 

The way I test with Blacklist Ruleset is to make a machine use the DNS local server in Infoblox, and it works. However in the same way, I'm not able to test with the RPZ zone I created, which including some rules in it.

 

Anyone can help me with it? I really appreciate it.


 

Jamison Utter

Re: How to test with RPZ?

TSun
Techie
Posts: 11
11698     0

Hi Jamison,

 

Thanks for your quick reply! I tried with your suggestions and refer to documents, but I don't see it takes effect base on the log in Syslog.

 

For example, I define a rule to substitude the domain 'abb.com' with 'google.com' in my local RPZ zone, but after I run 'dig @my_infoblox_ip_address abb.com', I checked the syslog and still found that 'abb.com' being ping directly with a reponse message 'NO ERROR +EV', it looks that it takes effect.

 

Also, every time I add some new rules to my RPZ zone, do I need to restart my DNS service to make it take effect?

 

Thanks!

Re: How to test with RPZ?

Jamison_Utter
Techie
Posts: 11
11698     0

What happens if you place something known (like facebook.com) in your block list? Thats a sure test to see if your getting the RPZ active. Does the syslog message say CEF at the start? (thats the RPZ log format)

Jamison Utter

Re: How to test with RPZ?

TSun
Techie
Posts: 11
11698     0

I tried to add 'facebook.com' to my zone and define its policy to be 'BLOCKED(no such domain)', after I run dig command, I still got the message 'A response: NO ERROR +EV'.

No I didn't see any message indicating it's in CEF format, where can I check it?

Re: How to test with RPZ?

Jamison_Utter
Techie
Posts: 11
11698     0

You should se a syslog entry for the RPZ hit in the syslog (CEF:#..etc) 

 

Sounds like your not hitting the RPZ at all. did you restart DNS after you enabled the feature? (adding entries doesn't require a restart)

Jamison Utter

Re: How to test with RPZ?

TSun
Techie
Posts: 11
11698     0

Since I just add a rule to my RPZ zone, it doesn't require a restart(I did though), right? After I created my current local RPZ zone, I did a restart then. 

 

I have enabled logging rpz in Grid DNS Properties, and did the test from one of my server, which is using the Infoblox DNS that installed on another server. What else do I need to configure to make it take effect?

Re: How to test with RPZ?

Adviser
Posts: 85
11698     0

There are a couple of things to check. Firstly, what version of NIOS are you using? In latter versions (IIRC version 7.x and above) we implemented a (BIND) feature whereby we check the domain being queried and if it matches a RPZ rule, we do not recurse but instead synthesize the response directly. Previously, we actually had to go and recursively find the response, receive it, check for the RPZ rule hit before synthesizing the response back to the user. This is called qname-wait-recurse flag in BIND that we have included now as a checkbox to enable/disable. In latter versions of NIOS, it is disabled by default which to me makes sense as we now respond straight away without having to recurse to the Internet (or elsewhere) to retrieve the answer before responding. You should check for the existence of this under Grid DNS properties, General, Advanced, and it is one of the checkboxes there.

 

Secondly (and most likely the problem) is you should check that your RPZ zone is created under the correct DNS view. If it is in the wrong view (and thus matching the wrong source subnets) your rule will not fire, which explains the lack of logs. 

 

Thirdly, again depending on your version of code, I recall experiencing a bug where you DO need to do a service restart everytime you created a new rule. It was a bug and was fixed since a long time ago, but is something to keep in mind.

 

Attached is a quick test I did using your example and works just fine for me. Notice that I've created the RPZ zone "rpz.local" under my "internal" dns view, with a single substitution rule "abb.com" to "google.com" and the response comes back directly. Note that the A record for google.com is bogus as I had created an auth zone called google.com in my own server just as another test I was doing. However, it is important to note the behaviour of domain substitution - it will redirect to a CNAME, which will in turn recurse to the internet (provided you don't have it auth in your DNS view), before responding with the A record. 

 

rpz.png

Re: How to test with RPZ?

TSun
Techie
Posts: 11
11698     0

Hi jchik,

 

Thank you so much for your detailed answer, I'm using NIOS 7.0, I go to my Grid DNS Properties but don't find the qname-wait-recurse flag you mentioned:

 Infoblox Grid Manager   7.0.2 269928  admin .png

 

Do you think I should upgrade the Infoblox into a latter version or what else can I do? Also, In NIOS 7.0, when I use Blacklist ruleset, it requires a DNS restart service every time I add my bad domains. In which version did you fix this bug? Is it applicable to both Blacklist rulesets and RPZ zones, means not require a DNS restart after I add the rule into my RPZ zone or Blacklist ruleset?

 

Also, I'm still curious about the difference between using a RPZ zone instead of using a Blacklist, except that in RPZ zone we can define more polices than in Blacklist ruleset, which only support Redirect(Block)/Pass behavior, and support both domains and IPs. If I just want to either redirect or block my bad domains, I can use either Blacklist or RPZ, right?

 

Thanks!

Re: How to test with RPZ?

Adviser
Posts: 85
11698     0

Ok, so it looks like qname-wait-recurse was implemented after 7.0! Sorry about that, but if you upgrade to version 7.2.x it is definitely in there as that's what i'm using.

 

That being the case, you don't have to upgrade, all it means is that you need to ensure that you can actually resolve internet domain names as you need to wait for the response coming back. If you don't have this ability or don't want to do this, then upgrade NIOS.

 

As for restarts on the blacklist - I was referring to restarts on RPZ entries. You do NOT have to restart everytime you add a record in a RPZ. For blacklists - I think you still have to do it.

 

Benefits of blacklists vs RPZ. Blacklists consume more CPU load, if I recall. It is also not as flexible as RPZ. Whilst you can redirect, you can redirect to an IP only. With RPZ, you can do a lot - substitute domain names, IPs, modify responses, etc... 

 

So it comes down to your requirement and budget. Seems like for you, RPZ is the way to go.

Re: How to test with RPZ?

TSun
Techie
Posts: 11
11698     0

 

Sound great! I would like to try RPZ in version 7.2.x. I just need to download DNS Firewall with 60 day trial license on the website, right? Is dig command and check the syslog is the only way to confirm the RPZ rules take effect? Since when I test with Blacklist, I just pointed my server to Infoblox DNS, and ping that bad domain will see it takes effect. 

 

In the mean time, I still want to make RPZ works in my 7.0, anything else I should take care since I'm not able configure that  qname-wait-recurse feature? Otherwise I'm not able to get that redirect message and CEF syslog to confirm that it takes effect. 

Re: How to test with RPZ?

Adviser
Posts: 85
11698     0

You need to ensure that recursion is on and works in your NIOS 7.0 instance. So what I would do is just sanity check that it can at least do that from the CLI of NIOS. Then try from a client and ensure success of the query. Then add a local RPZ ruleset and rule. Build up slowly and logically and you'll get there!

 

Syslog hits will confirm RPZ is working.

Re: How to test with RPZ?

TSun
Techie
Posts: 11
11698     0

Got it. Thanks for the help!

 

While I'm trying to install the Infoblox Firewall to test with the new RPZ zone solution, however in the installation process, it asked me for the activation code, which I cannot find in the resource I got. Any suggestion for it?

 

The package I download is a 60-day virtual evaluation of Infoblox DNS Firewall.

Re: How to test with RPZ?

RLangston
Techie
Posts: 13
11698     0

From the 7.2 release notes - "Change to the default behavior of RPZ (Response Policy Zone): no longer recurses for domains that are already in the RPZ feed."

 

So you need 7.2 to get this feature.  Note that, as it says above, we've made this the default behavior.  This is important since recursing a query that contains DNS Data exfiltration makes our detection of the threat irrelevant since the query is made anyway, and therefore the data has left the network...

 

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You