BloxOne Threat Defense
Page tree

Contents

Expand all   Collapse all

Data Connector supports the following filter types when processing data: client_ip, dns_view, member, and query FQDN. Data filtering is proceeded in the following order: client_ip, member, and query FQDN.

Filter Types

Client_ip

  • The client_ip data filter is applied to “DNS query/response events, IPmeta data, and RPZ events”. You can specify the query source IP address when the event is a query and the destination IP address when the event is a response.
  • Client_ip can be specified  in the following formats:
    • As a single IPv4 or IPv6 address.  For example, 10.10.1.0,  2620:10a:6000:661e::523
    • As a range of IPv4 addresses consisting of two single IPs with a dash between them. There are no spaces between the IP addresses and the dash. For example, 10.10.1.0-10.10.2.35.
      This format is applicable to IPv4 address format only. IPv6 uses CIDR notation.
    • As a network/mask of single IPv4 addresses followed by a slash and mask, with no spaces between the two IPv4 addresses and the slash. For example, 10.10.1.0/255.255.255.0
       This format is applicable to IPv4 address format only. 
    • As a CIDR block of single IPv4 or IPv6 address followed by a slash and a number with no spaces between the IP addresses and the slash. For example, 10.10.0.1/15, 2001:cdba:9abc:5678::/64

Dns_view

  • The dns_view data filter is applied to DNS query/response events and RPZ events. Valid values for dns_view are Internal or External. You  must specify 'I' or 'E' (non-case-sensitive) to reflect your choice of dns_view.  The dns_view filter can have only one value.  
  •  In Grid, the dns_view created by the user should have EA_Attributes "cdc_view = External/Internal. " If you do not specify a cdc_view, then it will be considered as Internal and filtered out by default. By default all the events from the Internal dns_view is filtered out. The client_ip data filter is applied to “DNS query/response events, IPmeta data, and RPZ events”. You can specify the query source IP address when the event is a query and the destination IP address when the event is a response.
  • Client_ip can be specified  in the following formats:
    • As a single IPv4 or IPv6 address.  For example, 10.10.1.0,  2620:10a:6000:661e::523
    • As a range of IPv4 addresses consisting of two single IPs with a dash between them. There are no spaces between the IP addresses and the dash. For example, 10.10.1.0-10.10.2.35.
      This format is applicable to IPv4 address format only. IPv6 uses CIDR notation.
    • As a network/mask of single IPv4 addresses followed by a slash and mask, with no spaces between the two IPv4 addresses and the slash. For example, 10.10.1.0/255.255.255.0
       This format is applicable to IPv4 address format only. 
    • As a CIDR block of single IPv4 or IPv6 address followed by a slash and a number with no spaces between the IP addresses and the slash. For example, 10.10.0.1/15, 2001:cdba:9abc:5678::/64

Multiple DNS Views:

When the appliance receives queries from DNS clients, it responds with data from either the Internal or External DNS view, depending on the source IP address.

Internal Views:

  1. Create an Internal DNS view with name "Internal"
  • Add a match clients for the Internal view, select “set of ACEs” and add IPv4 address (i.e Your host/source IP address 10.196.105.132, IP from where you do dig )
  •  create a zone "domain.com" and A record "some.domain.com"  (ex give resolving ip as 10.10.10.10)
  1. Create an External DNS view with name "External"
  • In external view create a zone "domain.com" and A record"some.domain.com" (resolving ip 5.5.5.5). Now Zones and records of both Internal and External DNS Views are created with same name.
  • Now your query response is based on the source IP from where you do dig.
  1. In NIOS, go to the members and click "Member DNS" and DNS Views. In this page you can change the ordering of views. For now you can keep the order Internal,External and Default.
  2. Now query for "some.domain.com" (From your host 10.196.105.132, which you added as match clients )
  3. When you do dig for "some.domain.com", you should get the response IP as "10.10.10.10". This is because, your query is served by the Internal DNS view, as you kept the DNS order "Internal" as first and your source IP matches with the match clients.
  4. Now when you query for "some.domain.com" from some other host (i.e other than host 10.196.105.132), you should get the response IP as "5.5.5.5". In this case your query is responded by the External DNS view, as external view doesn't have any match clients, Which means it allows any IP/Network. 


External views:

Now just change the DNS View order to External,Internal and Default and query for" some.domain.com" from any source IP. You will get a response from external view (ie response IP as 5.5.5.5). This is because, you kept External view as 1st in order and you didn't have any match clients set for External DNS view, Which means it allows any IP/Network.

How DNS Views Work

If internal view is cosen as th first in the DNS view order and when the appliance receives a query, then it checks the match list of the internal DNS view first. If it does not find the source address in the match list of the internal DNS view, it then checks the match list of the external DNS view. The match list of the external DNS view allows all IP addresses (To do this set allow any IP/Network in match clients.). Next, the NIOS appliance checks the zone level settings to determine if it is allowed to resolve queries from the client for domain names in that zone. After the appliance determines it is allowed to respond to queries from this client, it resolves the query and sends back the response to the client.

When you create more than one DNS view, the order of the views is important. View order determines the order in which the NIOS appliance checks the match lists. When you have multiple DNS Views, you can validate Data Connector  DNS views filter by following the above steps. Match clients are needs to be added, when you test with multiple DNS views.


Filters can be defined on:

  1. IP (or start-end range of IPs) of query source if event is a query, or destination IP if event is a response
  2. dns_view (internal, external)
  3. member which processed the query (wildcard)

query FQDN (wildcard)

Filters are evaluated in the above order, that is, IP first, then dns_view, member name, and query FQDN last.
Filters within one category are evaluated in the order in which they are defined.

Member

The member data filter is applied to DNS query/response events and RPZ events. Specify the Grid member name that processed the query. The member data filter is regex in functionality. For example, ns2.site1.xyz.com, infoblox.localdomain.*

FQDN Query

The query FQDN data filter is applied to DNS query/response events and RPZ events. A query filter is a combination of valid FQDN and wildcards. A query filter is a combination of valid fqdn syntax and token.

EQDN Query rules:

  • Tokens can be on the left and right side only, not in the middle.
  • A rule can have 0, 1 or 2 tokens.
  • If a rule has 2 tokens, they have to be on the opposite ends of fqdn.
  • Tokens on the left side must be followed by a dot (except case in 6).
  • Tokens on the right side must be preceded by a dot (except case in 6).
  • Rule "?" is allowed (a single token with nothing else, use to catch FQDN composed of a single label).

Token Types

* - zero or more domain name labels; can be on the left side only.
 # - one or more domain name labels; can be on the left side only.
 ? - exactly one domain name label; can be on the right or left side.


Valid query filter rules examples

  • *.infoblox.com
  • amazon.?
  • *.google.?
  • #.org
  • *.cnn.?
  • #.github.?
  • facebook.com
  • ?.facebook.com
  • ?
  • ?.
  • example.?.
  • ?.google.?

Invalid  query filter rules examples

  • *infoblox.com===================== missing dot after star
  • amazon.??? ====================== "?" is not a regex "?"
  • .*.google.? ====================== dot before star
  • #.*.org ========================= two tokens on the left
  • cnn.* =========================== star on the right
  • *.github.# ======================= "#" on the right
  • * ========================== single "*" token is not allowed
  • *. ================= single "*" token is not allowed
  • # ================= single "#" token is not allowed
  • #. ================= single "#" token is not allowed
  • ?infoblox.com================= dot is missed after "?"


Token to Regex Conversion

  • # -> ([^.]+\.?)+ One or more labels, where the label contains one or more any character except dot, that may be followed by a dot.
  • * -> ([^.]+\.?)* Zero or more labels, where the label contains one or more any character except dot, that may be followed by a dot.
  • ? -> ([^.]+\.?)? One or more any character except dot, that may be followed by a dot.



  • No labels

This page has no comments.

© 2021 Infoblox. All rights reserved.        Feedback        Terms & Conditions        Legal        Privacy Policy