This chapter provides information about the Infoblox DNS Firewall feature that you can configure and manage on the Infoblox appliance. It includes the following sections:About Infoblox DNS Firewall
- About Infoblox DNS Firewall
- License Requirements and Admin Permissions
- Best Practices for Configuring RPZs
- Enabling Recursion for RPZs
- Configuring Local RPZs
- Configuring Rules for RPZs
- Configuring Infoblox Threat Intelligence Feed
- Downloading Rules for an RPZ Feed
- Testing RPZ Feed Rules
- About FireEye Integrated RPZs
- Mitigating Cyber Threats using TAXII
- Managing RPZs
- Managing RPZ Rules
- Configuring Prefix Length Limit for RPZ-IP Triggers
- Configuring Thresholds for RPZ Hit Rate
- Verifying RPZ Configuration
About Infoblox DNS Firewall
Infoblox DNS Firewall employs DNS RPZs (Response Policy Zones), a technology developed by ISC (Internet System Consortium) for allowing reputable sources to dynamically communicate domain name reputation so you can implement policy controls for DNS lookups.
On an Infoblox appliance, you can configure RPZs and define RPZ rules to block DNS resolution for malicious or unauthorized hostnames, or redirect clients to a walled garden by substituting responses. You can assign actions to RPZ rules. For example, abc.com can have an action of pass thru or substitute (domain) with the domain xyz.com. You can also configure a Grid member to act as a lead secondary that receives RPZ updates from external reputation sources and redistributes the updates to other Grid members. Infoblox DNS Firewall supports both IPv4 and IPv6 networks. It also facilitates the detection of malware and APTs (Advanced Persistent Threats) by integrating the NIOS appliance with a FireEye appliance. You can employ APT mitigation strategy using FireEye as an external threat detection source.
An Infoblox Grid performs RPZ actions for queries that originate from external sources. The name server recursive cache on an RPZ enabled Grid member uses the address of the client from which the query originates to identify if the query is generated from an external source or an internal Grid. If the query originates from a Grid Master or a Grid member that has RPZ license installed, RPZ actions are automatically bypassed for those queries. For RPZ, Infoblox uses the ACL infoblox-deny-rpz, which contains a list of addresses for bypassing RPZ actions. The infoblox-deny-rpz list excludes Grid members that do not have an RPZ license. Note that RPZ action is performed only once for a single recursion.
As illustrated in Figure 42.1, the Infoblox DNS server receives RPZ updates, which include blacklisted hostnames and responses, from a reputation data server through a DNS zone transfer. The appliance then blocks or redirects queries and responses based on the imported RPZ rules. The reporting server can then generate the DNS Top RPZ Hits report that details the top DNS clients that have received redirected responses through RPZs.
Figure 42.1 Infoblox DNS Firewall
There are three types of RPZs:
- Local RPZ – A local RPZ is a zone that allows administrators to define multiple response policies locally. Responses sent are based on the defined rules. For information about how to configure local RPZs, see Configuring Local RPZs.
- RPZ Feed – An RPZ feed receives response policies from external sources. DNS clients receive responses based on the imported rules from a reputable source, such as a commercial RPZ provider. For information about RPZ feed, see Configuring Infoblox Threat Intelligence Feed.
- FireEye integrated RPZ – By integrating the NIOS appliance with the FireEye appliance, you can detect malware and APTs and take necessary actions to mitigate those threats. For information about FireEye integrated RPZ, see About FireEye Integrated RPZs.
Note: You can configure up to a total of 32 RPZs, including local and FireEye integrated RPZs.
Setting Up Infoblox DNS Firewall
For a successful Infoblox DNS Firewall deployment to protect your endpoint devices and servers from stealthy malware and malicious hostnames, consider the guidelines described in Best Practices for Configuring RPZs. To configure Infoblox DNS Firewall , complete the following tasks:
- Install a valid RPZ license on the appliance, as described in License Requirements and Admin Permissions. For more information about RPZ licenses, see License Requirements and Admin Permissions.
Note: Ensure that you have installed a valid DNS license on the same appliance.
2. Enable recursive queries for a DNS view, member, or Grid, as described in Enabling Recursion for RPZs.
Note: Ensure that you enable recursive queries for RPZ rules to take effect.
3. Configure RPZ logging to ensure that all matching and disabled rules for all queries are logged in the syslog. You can view the syslog to ensure that the rules are set up correctly before they take effect. Ensure that you enable rpz in the Logging Category of Grid DNS Properties editor to log these events. For information about how to set logging categories, see Setting DNS Logging Categories.
4. You can configure a local RPZ, an RPZ feed, or a FireEye RPZ on the NIOS appliance. Complete one of the following depending on your selection:
- On a DNS member, complete the following to create local RPZ rules:
- Optionally, complete the following to receive RPZ updates from an RPZ feed:
- Configure an RPZ feed, as described in Configuring Local RPZs. You can also configure the Infoblox DNS feed, as described in Configuring Infoblox Threat Intelligence Feed. The Infoblox DNS feed is a reputable data server validated by Infoblox to provide reputation RPZ updates.
- Download rules from the RPZ feed, as described in Downloading Rules for an RPZ Feed.
- Optionally, complete the following to receive alerts from a FireEye appliance:
- Create a FireEye integrated RPZ, as described in Configuring FireEye RPZs.
- Define rules for FireEye RPZs, as described in Configuring Rules for FireEye RPZs.
- Create FireEye admin users, as described in For FireEye Integrated RPZs.
- Add URLs and user credentials on the FireEye appliance, as described in Configuring the FireEye appliance.
Note: To apply the configured RPZ policies regardless of whether a DNS query requests DNSSEC data, configure the appliance accordingly. For more information about how to configure this, see Applying Policies and Rules to DNS Queries that Request DNSSEC Data.
5. Test your RPZ configuration and verify that RPZ is functioning properly by viewing the syslog and the Last Updated column in the Response Policy Zones tab. For more information, see Testing RPZ Feed Rules.
After you have set up your RPZs, RPZ feeds, and RPZ rules, you can do the following:
- Manage local RPZs such as viewing a list of RPZs, modifying, reordering, and deleting RPZs. You can also lock or unlock RPZs. For more information, see Managing RPZs.
- Verify RPZs are functioning properly by viewing the syslog and the last updated RPZ. For more information, see Managing RPZ Rules.
- Manage Local RPZ rules such as viewing, modifying, and deleting RPZ rules. You can also copy and import RPZ rules. For more information, see Managing RPZ Rules.
- Generate the DNS Top RPZ Hits report, if you have a reporting server set up in the Grid. For more information, see DNS Top RPZ Hits.
- Define thresholds for RPZ hit rate and configure the appliance send alerts when the RPZ hit rate exceeds the thresholds. For information, see Configuring Thresholds for RPZ Hit Rate.
This page has no comments.