Skip to main content
Skip table of contents

Configuring Passthru local RPZ rules in NIOS (2542)

Scenario

As a measure to increase your corporate DNS security posture, a corporate compliance policy was created, the policy dictates that specific Domains and IP Addresses are blocked for all users. Any user attempting to access a specific site must be redirected to a walled garden where they are presented with a web page outlining corporate policy.

Your current task is to create a Pass-thru policy allowing trusted internal domains to be resolved.

Course References

  • 2031: Configuring Local RPZ in NIOS

Estimate Completion Time

  • 20 to 25 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Requirements

  • Administrative access to the Grid

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  • Task 1: Apply the RPZ license to ibns1.techblue.net and ibns2.techblue.net

  • Task 2: Create local RPZ - allowlist.rpz

  • Task 3: Add Passthru Domain Policy Rules to allowlist.rpz

  • Task 4: Testing Pash-thru Local RPZ Rules

Task 1: Apply the RPZ license to ibns1.techblue.net and ibns2.techblue.net

  • Apply the RPZ license file stored on /mnt/shared/licenses.

  • Verify that DNS licenses are enabled and running on members that will be hosting RPZ.

  • Add the RPZ licenses located in the shared Drive/Licenses folder under the name RPZ.txt

Task 2: Create local RPZ - allowlist.rpz

  • Create a local RPZ to ensure DNS traffic from the techblue.net domain is allowed to pass through

    1. Create a Local RPZ named allowlist.rpz

    2. Set the override value to passthru

    3. Use the RPZ Local NSG server group

    4. Verify the creation of the RPZ

Task 3: Add Passthru Domain Policy Rules to allowlist.rpz

  • Create a rule in the allowlist.rpz to ensure DNS requests for the techblue.net and all sub domains pass through unmodified

Task 4: Testing Pash-thru Local RPZ Rules

  • Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

    • open a terminal window and issue the command sudo set-network-static-nios and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

  • Use dig and syslog entries to validate the local RPZ configurations.

    • When using dig please specify the server 10.100.0.105 in the command using the @ symbol, i.e.: dig @10.100.0.105 <domain>

If you see the error message "Failed to reload network settings: No such file or directory", please re-enter "sudo set-network-static-nios".

Solutions

Task 1 Solution: Apply the RPZ license to ibns1.techblue.net and ibns2.techblue.net

  • In this task, you apply the RPZ license file stored on the Jump-desktop. The license file is called RPZ.txt and is located in the /home/training/Documents/Licenses folder.

    1. Navigate to Grid → Licenses.

    2. Click the plus (+) symbol to add the RPZ license.

    3. Select the Upload License File radio button. Click Select File.

    4. Navigate to shared Drive/Licenses. Click the RPZ.txt file and select Open.

    5. Click Save License(s).

    6. Click Filter On and use a quick filter to search for RPZ licenses. There are two licenses associated with ibns1.techblue.net as this member is part of an HA pair.

Task 2 Solution: Create local RPZ - allowlist.rpz

  • In this task, you create a local RPZ called allowlist.rpz. This will be used to ensure DNS traffic from the techblue.net domain is allowed to pass through.

    1. Create the Response Policy Zone by navigating to Data Management → DNS → Response Policy Zones.

    2. Click the plus (+) symbol to add a new RPZ.

    3. Select Add Local Response Policy Zone and click Next.

    4. Enter allowlist.rpz for the name of the zone. Set the Policy Override value to Passthru. Change the Severity to Informational. Type in a comment to describe the purpose of the RPZ. Click Next to continue.

    5. Select the Use this Name Server Group button. Choose RPZ Local NSG from the drop-down list. Click Save & Close.

Task 3 Solution: Add Passthru Domain Policy Rules to allowlist.rpz

  • In this task, you create a rule in the allowlist.rpz to ensure DNS requests for the techblue.net domain pass through unmodified.

    1. Navigate to Data Management → DNS → Response Policy Zones.

    2. Click the link to allowlist.rpz.

    3. Click the arrow next to the plus (+) symbol and select Passthru Rule from the drop-down list. Select Passthru Domain Name Rule.

    4. Enter techblue.net in the Name field. Type a Comment to describe the purpose of the rule. Click Save & Close.

    5. Click the arrow next to the plus (+) symbol and select Passthru Rule from the drop-down list. Select Passthru Domain Name Rule.

    6. Add a Passthru rule to match all labels for the domain, ensuring DNS queries such as www.techblue.net will pass through unmodified. Enter *.techblue.net in the Name field. Type a Comment to describe the purpose of the rule. Click Save & Close.

Task 4 Solution: Testing Pass-thru Local RPZ Rules

If you see the error message "Failed to reload network settings: No such file or directory", please re-enter "sudo set-network-static-nios".

  • The newly created RPZ must be tested before being implemented in production. In this task, you use dig and syslog entries to validate the local RPZ configurations.

    1. Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

      1. open a terminal window and issue the command sudo set-network-static-nios and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig

    2. Open a terminal window on the Linux Desktop. Use the dig command dig @10.100.0.105 www.techblue.net to perform a DNS query for www.techblue.net.

    3. The results show that the query has been answered. The IP Address of www.techblue.net is 10.200.0.80.

    4. Jump back the the Jump-Desktop machine to check syslog for a record of the RPZ query.

    5. Navigate to Administration → Logs → Syslog. Select the Member ibns1.techblue.net from the drop-down list.

    6. Choose RPZ Incidents from the Quick Filter drop-down list.
      The DNS Query for www.techblue.net is listed in the messages section, in CEF format.
      The query has matched a PASSTHRU rule in allowlist.rpz.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close