Infoblox DNS Firewall employs DNS RPZs (Response Policy Zones), a technology developed by ISC (Internet System Consortium) for allowing reputable sources to dynamically communicate domain name reputation so you can implement policy controls for DNS lookups.
On an Infoblox appliance, you can configure RPZs and define RPZ rules to block DNS resolution for malicious or unauthorized hostnames, or redirect clients to a walled garden by substituting responses. You can assign actions to RPZ rules. For example, abc.com can have an action of pass thru or substitute (domain) with the domain xyz.com. You can also configure a Grid member to act as a lead secondary that receives RPZ updates from external reputation sources and redistributes the updates to other Grid members. Infoblox DNS Firewall supports both IPv4 and IPv6 networks. It also facilitates the detection of malware and APTs (Advanced Persistent Threats) by integrating the NIOS appliance with a FireEye appliance. You can employ APT mitigation strategy using FireEye as an external threat detection source.
An Infoblox Grid performs RPZ actions for queries that originate from external sources. The name server recursive cache on an RPZ enabled Grid member uses the address of the client from which the query originates to identify if the query is generated from an external source or an internal Grid. If the query originates from a Grid Master or a Grid member that has RPZ license installed, RPZ actions are automatically bypassed for those queries. For RPZ, Infoblox uses the ACL infoblox-deny-rpz, which contains a list of addresses for bypassing RPZ actions. The infoblox-deny-rpz list excludes Grid members that do not have an RPZ license. Note that RPZ action is performed only once for a single recursion.
As illustrated in Figure 42.1, the Infoblox DNS server receives RPZ updates, which include blacklisted hostnames and responses, from a reputation data server through a DNS zone transfer. The appliance then blocks or redirects queries and responses based on the imported RPZ rules. The reporting server can then generate the DNS Top RPZ Hits report that details the top DNS clients that have received redirected responses through RPZs.
Figure 42.1 Infoblox DNS Firewall
There are three types of RPZs:
You can configure up to a total of 32 RPZs, including local and FireEye integrated RPZs.
For more information on configuring RPZ feeds using On-Prem Firewall Service, see On-Prem DNS Firewall Service.
For a successful Infoblox DNS Firewall deployment to protect your endpoint devices and servers from stealthy malware and malicious hostnames, consider the guidelines described in Best Practices for Configuring RPZs. To configure Infoblox DNS Firewall , complete the following tasks:
Install a valid RPZ license on the appliance, as described in License Requirements and Admin Permissions for RPZ.
Ensure that you have installed a valid DNS license on the same appliance.
2. Enable recursive queries for a DNS view, member, or Grid, as described in Enabling Recursion for RPZs.
Ensure that you enable recursive queries for RPZ rules to take effect.
3. Configure RPZ logging to ensure that all matching and disabled rules for all queries are logged in the syslog. You can view the syslog to ensure that the rules are set up correctly before they take effect. Ensure that you enable rpz in the Logging Category of Grid DNS Properties editor to log these events. For information about how to set logging categories, see Setting DNS Logging Categories.
4. You can configure a local RPZ, an RPZ feed, or a FireEye RPZ on the NIOS appliance. Complete one of the following depending on your selection:
5. Test your RPZ configuration and verify that RPZ is functioning properly by viewing the syslog and the Last Updated column in the Response Policy Zones tab. For more information, see Testing RPZ Feed Rules.
After you have set up your RPZs, RPZ feeds, and RPZ rules, you can do the following:
This page has no comments.