Reply
Accepted Solution

Need to transfer RPZ feed via MGMT port

Expert
Posts: 190
4337     0

Hi all,

 

I think my brain has run out of juice today, I am struggling with what seems like a pretty basic problem, so hoping someone here can give me some fresh insight.

 

We have an RPZ feed coming into a PT (ADP) appliance that is acting as an external DNS server, so LAN1 has a public IP address and this is going out and fetching the RPZ feed quite happily from Infoblox. All grid comms is going over the MGMT port and I want to distribute the RPZ feed to the internal DNS servers via the MGMT port (which has a 10.x private address and has DNS enabled).

 

But when I create my name server group with the PT appliance as the lead secondary, the internal DNS servers use the LAN1 public IP address in the zone statement instead of the MGMT address, e.g. I get this in the configuration:

 

    zone "malware.rpz.infoblox.local" in { # malware.rpz.infoblox.local

            type slave;

            masters { 194.75.xxx.yyy; };

            infoblox-rpz-severity 6;

            allow-update-forwarding { key DHCP_UPDATER_default;  none; };

            masterfile-format raw;

            file "db.malware.rpz.infoblox.local._default";

            notify explicit;

    };

 

So what I need is for the text in red to be my private IP address assigned to the MGMT port. How can I do this?

 

Cheers,

 

Paul

 

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Highlighted

Re: Need to transfer RPZ feed via MGMT port

Adviser
Posts: 147
4337     0

Hi Paul,

 

This may be difficult as the PT appliance is designed/intended to not provide any DNS services over the MGMT port  as this interface is not secured as LAN1 and LAN2 are.

 

You can effect the zone transfer interface by editing the member's DNS properties on the General->Advanced tab and setting the 'Send notify messages and zone transfer request from' to ANY. 

 

This will add both LAN1 and MGMT IP to your 'masters' directive and in theory should work if DNS is listening on the MGMT port.

 

You could also specfiy the MGMT interface for the 'Send notify...' parameter, however, this will also cause the appliance to source its xfr requests from the MGMT interface which is likely not desired in your situation.

 

Please test and let us know the results!

 

Thanks!

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products

Re: Need to transfer RPZ feed via MGMT port

[ Edited ]
Expert
Posts: 190
4338     0

Ah I knew it would be simple, thanks. I didn't realise that option affected a slaves "masters" statement in this way, here's what I ended up with:

 

    zone "malware.rpz.infoblox.local" in { # malware.rpz.infoblox.local
	type slave;
	masters { 194.75.x.y; 10.67.95.146; };
	infoblox-rpz-severity 6;
	allow-update-forwarding { key DHCP_UPDATER_default;  none; };
	masterfile-format raw;
	file "db.malware.rpz.infoblox.local._default";
	notify explicit;
    };

I doubt it will be able to reach the public IP due to firewalls inbetween the internal and external DNS environments, but it can certainly talk on the private IP address.

 

In this environment we are only interested in protecting the external DNS on LAN1 (LAN2 is reserved for future use), and as grid management traffic has to go over MGMT anyway it makes sense to use it also for RPZ zone transfer. It would be a waste of ADP resources to spin up LAN2 just to xfer the RPZ to the internal servers.

 

Thanks for your help.

 

Paul

 

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Showing results for 
Search instead for 
Do you mean 

Recommended for You