Configuring Passthru local RPZ rules in NIOS (2542)

This lab requires a NIOS 9.0 Lab Environment

This lab guide has been developed using the new NIOS 9.0 Lab Environment (experimental) lab. Please ensure that you deploy a NIOS 9.0 lab environment to complete these lab tasks. If you use a different lab environment, this is untested, and the lab likely will not work.

Scenario

A corporate compliance policy was created to increase your corporate DNS security posture. The policy dictates what domains will be allowed and which ones will be blocked or modified. Your current task is to create a Pass-thru policy allowing trusted internal domains to be resolved unmodified.

Learning Content

• Configuring Local RPZ in NIOS

Estimate Completion Time

• 20 to 25 minutes

Credentials

Requirements

• Administrative access to the Grid

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Tasks

1. Create a local RPZ named allowlist.rpz

2. Create a rule in the allowlist.rpz to ensure DNS requests for techblue.net and all of its sub-domains get passed through unmodified

3. Test Pass-thru Local RPZ Rules

Task 1: Create local RPZ - allowlist.rpz

• Create a local RPZ named allowlist.rpz to ensure DNS traffic from the techblue.net domain is allowed to pass through using a previously configured server group called RPZ Local NSG.

Task 2: Add Passthru Domain Policy Rules to allowlist.rpz

• Create a rule in the allowlist.rpz to ensure DNS requests for techblue.net and all of its sub-domains get passed through unmodified.

Task 3: Test Pass-thru Local RPZ Rules

• Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

  • open a terminal window and issue the command sudo set-network-static-nios and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

• Use dig and syslog entries to validate the local RPZ configurations.

Solutions

Task 1 Solution: Create local RPZ - allowlist.rpz

In this task, you create a local RPZ called allowlist.rpz. This will be used to ensure DNS traffic from the techblue.net domain is allowed to pass through.

1. On the jump-desktop machine, open a browser window and access https://10.100.0.100.

2. Navigate to Data Management → DNS → Response Policy Zones.

3. Click the plus (+) symbol to add a new RPZ.

   

4. Select Add Local Response Policy Zone and click Next.

   

5. Enter allowlist.rpz for the name of the zone.

6. Set the Policy Override value to Passthru.

7. Change the Severity to Informational.

8. Type in a comment to describe the purpose of the RPZ.

9. Click Next to continue.

   

10. Select the Use this Name Server Group button.

11. Choose RPZ Local NSG from the drop-down list.

    

12. Click Save & Close.

13. Restart Services when prompted.

    

Task 2 Solution: Add Passthru Domain Policy Rules to allowlist.rpz

In this task, we create a rule in the allowlist.rpz policy to ensure that DNS requests for the techblue.net domain and all of its subdomains pass through unmodified. We will achieve that through two rules: the first will allow techblue.net, and the second will use the wildcard (*.techblue.net) to allow all subdomains.

1. Navigate to Data Management → DNS → Response Policy Zones.

2. Click the link to allowlist.rpz.

3. Click the arrow next to the plus (+) symbol and select Passthru Rule from the drop-down list.

4. Select Passthru Domain Name Rule.

   

5. Enter techblue.net in the Name field.

6. Type a Comment to describe the purpose of the rule.

7. Click Save & Close.

   

8. Click the arrow next to the plus (+) symbol and select Passthru Rule from the drop-down list.

9. Select Passthru Domain Name Rule.

10. Enter *.techblue.net in the Name field.

11. Type a Comment to describe the purpose of the rule.

    

12. Click Save & Close.

Task 3 Solution: Testing Pass-thru Local RPZ Rules

The newly created RPZ must be tested. In this task, we will use dig and syslog entries to validate the local RPZ configurations.

1. Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

   

   1. open a terminal window and issue the command sudo set-network-static-nios and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

      

2. Open a terminal window on testing-linux. Use the dig command dig @10.100.0.105 www.techblue.net to perform a DNS query for www.techblue.net.

   1. 10.100.0.105 is the IP address of ibns1.techblue.net an HA pair grid member.

   2. The results show that the query has been answered. The IP Address of www.techblue.net is 10.200.0.80.

      

3. Switch back the the jump-desktop machine.

4. Navigate to Administration → Logs → Syslog.

5. Select the Member ibns1.techblue.net from the drop-down list.

6. Choose RPZ Incidents from the Quick Filter drop-down list.

   1. The DNS Query for www.techblue.net is listed in the messages section, in CEF format.

   2. The query has matched a PASSTHRU rule in allowlist.rpz.