Skip to main content
Skip table of contents

Setting up NIOS DNS Firewall (2541)

This lab requires a NIOS 9.0 Lab Environment

This lab guide has been developed using the new NIOS 9.0 Lab Environment (experimental) lab. Please ensure that you deploy a NIOS 9.0 lab environment to complete these lab tasks. If you use a different lab environment, this is untested, and the lab likely will not work.


Scenario

Your team was tasked with setting up the Infoblox DNS Firewall feature on the Grid to enhance DNS security in your environment. Please make sure the Grid is configured correctly to support a basic DNS Firewall, which relies on using a Response Policy Zone (RPZ). Since security ties in heavily with logging and reporting, please also make sure the correct logging and reporting settings are configured on the Grid.

Learning Content

Estimate Completion Time

  • 25 to 30 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Requirements

  • Administrative access to a NIOS Grid

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png


Tasks

  1. Create a name server group using grid members ibns1.techblue.net and ibns2.techblue.net as members.

  2. Verify RPZ logging in enabled on the Grid.

  3. Ensure that the Reporting Server has security reporting enabled.

Task 1: Create RPZ Local NSG Name Server Group

  • Create a name server group named RPZ Local NSG. This name server group will be used by the local RPZs. The members of the group are ibns1.techblue.net as the primary and ibns2.techblue.net as the secondary.

Task 2: Verify RPZ logging is enabled

  • Verify RPZ logging is enabled on the Grid.

Task 3: Enable Security Reporting for the Grid

  • Ensure that the Reporting Server has security reporting enabled.


Solutions

Task 1 Solution: Create RPZ Local NSG Name Server Group

In this task, you create the RPZ Local NSG Name Server Group. This name server group will be used by the local RPZs you create in later labs. The members of RPZ Local NSG are ibns1.techblue.net and ibns2.techblue.net. You must choose DNS Zone Transfers for the Update Zones Using method. You get an error if you try and add a name server group with Grid Replication as the Update Zones Using method to an RPZ.

  1. On the jump-desktop machine, open a browser window and access https://10.100.0.100.

  2. Navigate to Data Management → DNS → Name Server Groups.

  3. Click the drop-down arrow next to the plus(+) symbol to add a new Authoritative Name Server Group.

    image-20250204-134151.png
  4. Type RPZ Local NSG in the Name box. Click the drop-down arrow next to the plus (+) symbol and select Grid Primary.

    image-20250204-134328.png
  5. Click Select.

  6. Choose ibns1.techblue.net from the Member Selector. Click OK.

    image-20250204-134416.png
  7. Click Add in the Add Name Server Group wizard to add ibns1.techblue.net to the RPZ Local NSG group.

  8. Click the drop-down arrow next to the plus (+) symbol and select Grid Secondary.

    image-20250204-134432.png
  9. Ensure Update Zones Using is set to DNS Zone Transfers. Click Select.

    image-20250204-134448.png
  10. Choose ibns2.techblue.net from the Member Selector.

  11. Click Add to add ibns2.techblue.net to the Name Server Group RPZ Local NSG.

    image-20250204-134556.png
  12. Click Save & Close to save the configuration.

Task 2 Solution: Verify RPZ Logging is enabled

In this task, you verify that RPZ logging is enabled. This ensures that RPZ events are logged to syslog, allowing us to verify our RPZ configuration and troubleshoot problems that might happen in the future.

  1. Navigate to Data Management → DNS → Members.

  2. Select Grid DNS Properties from the toolbar.

    image-20250204-135526.png
  3. Toggle Advanced Mode. Select Logging.

  4. Verify that the check box for RPZ is checked; if not, check it.

    image-20250204-140024.png
  5. Click Save & Close.

  6. Restart Services if prompted.

Task 3 Solution: Enable Security Reporting for the Grid

In this task, we enable the Reporting Server Security category, which has an index % value. This allows the reporting server to generate reports on security events, including RPZ.

NOTE: To allow grid members to send data to the reporting server, we must enable data indexing. If the "Enable Time-Based Retention “ box is enabled, the reporting server will retain data for the number of days we set for each reporting category.

  1. Navigate to Administration → Reporting.

  2. Select Grid Reporting Properties from the Toolbar.

    image-20250204-140739.png
  3. Check the "Enable Data Indexing“ box, this enables grid members to transfer data to the reporting server.

  4. Ensure the Security Category is selected, and the Index% field has a value, you can leave as the default value.

    image-20250204-141719.png
  5. Click Save & Close.

  6. Restart Services if prompted

    image-20250204-141842.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.