Skip to main content
Skip table of contents

2541 - Setting up NIOS DNS Firewall


Scenario

In an effort to enhance DNS security in your environment, your team was tasked with setting up the Infoblox DNS Firewall feature on the Grid. Please make sure the Grid is configured correctly to support basic DNS Firewall, which relies on using Response Policy Zone (RPZ). Since security ties in heavily with logging and reporting, please also make sure the correct logging and reporting settings are configured on the Grid.

Course References

  • 2030: Describing NIOS DNS Firewall

Estimate Completion Time

  • 25 to 30 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Requirements

  • Administrative access to the Grid

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  • Task 1: Apply the RPZ license to ibns1.techblue.net and ibns2.techblue.net

  • Task 2: Create RPZ Local NSG Name Server Group

  • Task 3: Confirm DNS Recursion enabled on Name Servers

  • Task 4: Enable RPZ Logging

  • Task 5: Confirm the Reporting Server Configuration


Task 1: Apply the RPZ license to ibns1.techblue.net and ibns2.techblue.net

  • Apply the RPZ license file stored on the Jump-desktop

  • Verify that DNS licenses are enabled and running on members that will be hosting RPZ

  • Add the RPZ licenses located in the Shared Drive/Licenses folder under the name RPZ.txt

Task 2: Create RPZ Local NSG Name Server Group

  • Create the RPZ Local NSG Name Server Group. This name server group will be used by the local RPZs you create in a later lab

  • The members of RPZ Local NSG are ibns1.techblue.net and ibns2.techblue.net.

    • Ibns1.techblue.net is the primary

    • Ibns2.techblue.net is the secondary

  • You must choose DNS Zone Transfers for the Update Zones Using method

You get an error if you try and add a name server group with Grid Replication as the Update Zones Using method to an RPZ

Task 3: Confirm DNS Recursion enabled on Name Servers

  • Confirm that DNS recursion is enabled for the name servers ibns1.techblue.net and ibns2.techblue.net

Task 4: Enable RPZ Logging

  • Use the toolbar menu to enable RPZ logging. This ensures that RPZ events are logged to syslog.

Task 5: Confirm the Reporting Server Configuration

  • Use the toolbar to check the Reporting Server Security category is enabled and has an index % value


Solutions

Task 1 Solution: Apply the RPZ license to ibns1.techblue.net and ibns2.techblue.net

In this task, you apply the RPZ license file stored on the Jump-desktop. The license file is called RPZ.txt and is located in the /home/training/Documents/Licenses folder.

  1. Navigate to Grid → Licenses.

  2. Click the plus (+) symbol to add the RPZ license.

  3. Select the Upload License File radio button. Click Select File.

  4. Navigate to shared Drive/Licenses. Click the RPZ.txt file and select Open.

  5. Click Save License(s).

  6. Click Filter On and use a quick filter to search for RPZ licenses. There are two licenses associated with ibns1.techblue.net as this member is part of an HA pair.

Task 2 Solution: Create RPZ Local NSG Name Server Group

In this task, you create the RPZ Local NSG Name Server Group. This name server group will be used by the local RPZs you create in a later lab. The members of RPZ Local NSG are ibns1.techblue.net and ibns2.techblue.net. You must choose DNS Zone Transfers for the Update Zones Using method. You get an error if you try and add a name server group with Grid Replication as the Update Zones Using method to an RPZ.

  1. Navigate to Data Management → DNS → Name Server Groups.

  2. Click the drop-down arrow next to the plus (+) symbol to add a new Authoritative Name Server Group.

  3. Type RPZ Local NSG in the Name box. Click the drop-down arrow next to the plus (+) symbol and select Grid Primary.

  4. Click Select.

  5. Choose ibns1.techblue.net from the Member Selector. Click OK.

  6. Click Add in the Add Name Server Group wizard to add ibns1.techblue.net to the RPZ Local NSG group.

  7. Click the drop-down arrow next to the plus (+) symbol and select Grid Secondary.

  8. Ensure Update Zones Using is set to DNS Zone Transfers. Click Select.

  9. Choose ibns2.techblue.net from the Member Selector.

  10. Click Add to add ibns2.techblue.net to the Name Server Group RPZ Local NSG. Click Save & Close to save the configuration.

Task 3 Solution: Confirm DNS Recursion enabled on Name Servers

In this task, you confirm that DNS recursion is enabled for the name servers ibns1.techblue.net and ibns2.techblue.net.

  1. Navigate to Data Management → DNS → Members.

  2. Select ibns1.techblue.net and ibns2.techblue.net.

  3. Click Start on the toolbar, and accept the notification message by clicking Yes.

  4. Click the hamburger icon or the Edit button to edit the Member DNS Properties.

  5. Select Queries in the Properties list.

  6. Scroll down until you see Allow Recursion. You might need to click the Override button to enable recursion and select Named ACL Company Internal Subnets.

  7. Repeat the steps to confirm that Recursion is enabled for ibns2.techblue.net then restart the services when prompted.

Task 4 Solution: Enable RPZ Logging

In this task, you enable RPZ logging. This ensures that RPZ events are logged to syslog.

  1. Select Grid DNS Properties from the toolbar. Toggle Advanced Mode. Select Logging.

  2. Click the check box for rpz.

  3. Click Save & Close.

  4. Restart Services if prompted.

Task 5 Solution: Confirm the Reporting Server Configuration

In this task, you check the Reporting Server Security category is enabled and has an index % value.

  1. Navigate to Administration → Reporting.

  2. Select Grid Reporting Properties from the Toolbar.

  3. Ensure the Security Category is selected, and the Index% field has a value, you can leave as the default value.

  4. Click Cancel or Save & Close.

  5. Restart Services if prompted

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.