Skip to main content
Skip table of contents

2543 - NIOS Threat Defense RPZ Feeds


Scenario

As part of a security initiative, the company has purchased subscriptions to Infoblox BloxOne Threat Defense.

You are tasked with adding specific Infoblox BloxOne Threat Defense feeds to your RPZ configuration. You will check the creation of the new RPZs. Once the zones are downloaded you will test them.

To download the RPZ feeds, you need to log in to the Infoblox Cloud Services Portal (the Infoblox portal) https://the Infoblox portal.infoblox.com. Your credential for accessing the Infoblox portal is on the Learning Portal.

Course References

  • 2032: Configuring Threat Defense RPZ feeds in NIOS

Estimate Completion Time

  • 45 to 55 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Requirements

  • Administrative access to the Grid

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  • Task 1: Log into NIOS and Verify Licenses

  • Task 2: Log into the Infoblox portal and copy the RPZ feed names and credentials

  • Task 3: Log into the NIOS grid and create RPZ DNSFW NSG name server group

  • Task 4: Configure RPZ Feeds into the NIOS GRID

  • Task 5: Verify RPZ Feed action using dig and syslog

  • Task 6: Test RPZ Feed action by disabling and re-enabling them


Task 1: Log into NIOS and Verify Licenses

  • Log into the NIOS grid and verify that the RPZ licenses are available for ibns1.techblue.net and ibns2.techblue.net grid members.

  • Add missing licenses from: Shared Drive/licenses, If you find any missing licenses.

Task 2: Log into Infoblox Portal and copy the RPZ feed names and credentials

  • using your Infoblox Portal credentials from Launchpad. log into the Infoblox Portal and obtain information about the feeds, the IP address of the servers providing the feeds, and the feed authentication credentials (TSIG Credentials).

    • Infoblox_Base

    • Infoblox_Base_IP

    • Infoblox_High_Risk

  • Copy the RPZ names and your server IP and TSIG credentials into a text file for use later. Use Geany (text editor) to save the feed information for later use.

Task 3: Log into the NIOS grid and create RPZ DNSFW NSG name server group

  • Create a name server group called RPZ DNSFW NSG. This name server group is used by the Infoblox RPZ feeds

  • Use the server information you obtained from the Infoblox portal and add an external primary server

    • Ibns1.techblue.net is a lead secondary

    • Ibns2.techblue.net is a secondary

You get an error if you try and add a name server group with Grid Replication as the Update Zones Using method to an RPZ

Task 4: Configure RPZ Feeds into the NIOS GRID

  • Configure an RPZ for each feed separately. Initially, each RPZ is configured in Passthru Policy Override mode. Once they have been successfully tested, and you confirm that they don’t cause issues with legitimate traffic, they are put into None (Given) Policy Override Mode.

  • Re-order the RPZs if required so that they are ordered as follows:

    1. allowlist.rpz

    2. walledgarden.rpz

    3. denylist.rpz

    4. infoblox-base.rpz.infoblox.local

    5. infoblox-base-ip.rpz.infoblox.local

    6. infoblox-high-risk.rpz.infoblox.local

Task 5: Verify RPZ Feed action using dig and syslog

If you see the error message "Failed to reload network settings: No such file or directory", please re-enter "sudo set-network-static-nios".
  • Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

    • open a terminal window and issue the command sudo set-network-static-nios and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

  • Use dig and syslog entries to validate the local RPZ configurations.

    • When using dig please specify the server 10.100.0.105 in the command using the @ symbol, i.e.: dig @10.100.0.105 <domain>

    • Use one or more from the following domains: "eicar.stream”, "eicar.co” or “eicar.host".

  • You verify that the infoblox-base.rpz.infoblox.local RPZ is detecting domain names that should be blocked.

  • You then change the Override Policy for infoblox-base.rpz.infoblox.local from Passthru to Block (No Such Domain) and test again using dig and syslog.

Task 6: Test RPZ Feed action by disabling and re-enabling them

  • Disable the infoblox-base.rpz.infoblox.local feed and repeat the DNS Query for the A record for the previously tested domains.

  • Once verified that the domains are accessible, re-enable the infoblox-base.rpz.infoblox.local feed and re-order the RPZ list to its previous ordering in task 3


Solutions

Task 1 Solution: Log into NIOS and Verify Licenses

  • Log into the NIOS grid and navigate to Grid → LicensesMembers, click the Show Filter button and filter based on the RPZ feature.

    image-20240812-112957.png
  • verify that the RPZ licenses are available for ibns1.techblue.net and ibns2.techblue.net grid members.

  • Add missing licenses from: Shared Drive/licenses, If you find any missing licenses.

    • Click on the + icon, then on the Select file button.

    • Under Shared Drive/ Licenses, select RPZ.lic and click Save License.

      image-20240812-113553.png
      image-20240812-113615.png

Task 2 Solution: Log into the Infoblox portal and copy the RPZ feed names and credentials

You can access the Learning Portal using the web browser from within your lab environment, this will enable you to easily copy and paste the the Infoblox portal credentials.

  • In this task, you obtain your credentials for the Infoblox portal from the Learning Portal. You log into the the Infoblox portal Service Portal. You obtain information about the feeds, the IP addresses of the servers providing the feeds, and your feed authentication credentials (TSIG Credentials).

  • Copy the RPZ names, and your TSIG credentials into a text file for use later, Use Geany (text editor) to save the save the feed information for later use.

  • Use the the Infoblox portal account details provided on the Learning portal to log into the Infoblox portal.

    1. Open a new tab in the web browser. Navigate to https://portal.infoblox.com

      1. Enter your username and password from the Learning Portal.

      2. Navigate to Configure → Security → On-prem DNS Firewall.

        image-20241113-101607.png
      3. Click the On-prem DNS Firewall Configuration link.

    2. Copy the RPZ names to a text editor. This step is for convenience. You can simply copy and paste the values when you create the new RPZ if you prefer.

      1. Open a text editor on the Jump-Desktop. Click the Infoblox logo on the bottom left of the Desktop. Click the Geany icon.

      2. Click the Step 2 Feeds Configuration Values link.

      3. Click the Copy button to copy the RPZ name for the Base feed.

      4. Paste the name of the Base RPZ into the editor.

        image-20240812-111443.png

        image-20240812-111645.png
      5. Repeat the process for the Base-IP and High-Risk RPZs.

        image-20240812-114037.png

      6. Close the Threat Feed Details page.

      7. Click the Step 3 Distribution Server Configuration Values link.

      8. Copy the values for Name, Distribution Server, Key Name, TSIG Key, and Key Algorithm to your text editor.
        Make sure you use the copy button rather than highlight, select, and paste. You might not get the whole key if you don’t use the copy button.

        image-20240116-130257.png
        image-20240116-130439.png

These specific RPZs have been chosen to ensure they don’t exceed the capacity of the NIOS appliances in your lab environment.

Task 3 Solution: Log into NIOS grid and create RPZ DNSFW NSG name server group

  • In this task, you create a name server group called RPZ DNSFW NSG. This name server group is used by the Infoblox RPZ feeds.

    1. Navigate to Data Management → DNS → Name Server Groups

      1. Click the drop-down arrow next to the plus (+) symbol to add a new Authoritative Name Server Group.

      2. Type RPZ DNSFW NSG in the Name field. Click the drop-down arrow next to the plus (+) symbol and select External Primary.

      3. Add the details for the External Primary Name Server.

        1. In this example, the US West Distribution Server is used.

        2. Use Name you saved earlier for the server name.

        3. The IP Address is 54.69.93.185.

        4. Click the Use TSIG button.

        5. Copy your Key Name and Key Data from the the Infoblox portal Portal, or the file you copied them to.

        6. Click the Add button.

      4. Click the drop-down arrow next to the plus (+) symbol and select Grid Secondary.

      5. Click Select, Select ibns1.techblue.net from the Member Selector.

      6. Check the Lead Secondary box. Click Add.

      7. Click the drop-down arrow next to the plus (+) symbol. Click Grid Secondary.

      8. Click Select, Select ibns2.techblue.net from the Member Selector.

      9. Click Add then Save & Close.

Task 4 Solution: Configure RPZ Feeds into the NIOS GRID

  • In this task, you create the RPZ configuration for the feeds. Initially, each RPZ is configured in Passthru Policy Override mode. Once they have been successfully tested, and you confirm that they don’t cause issues with legitimate traffic, they are put into None (Given) Policy Override Mode.

    1. Navigate to Data Management → DNS → Response Policy Zones.

    2. Click the check button for Add Response Policy Zone Feed. Click Next.

    3. Copy the name from your text file, or type, base.rpz.infoblox.local into the name field. Select Passthru as the Policy Override value. Add a description for the zone. Click Next.

      image-20240812-114444.png

    4. Choose to Use this Name Server Group. Select RPZ DNSFW NSG and click Save & Close.

      image-20240812-114851.png
    5. Do NOT restart services yet

    6. Repeat Steps b, c and d to add the Base-IP and High-Risk RPZ Feeds. Use Passthru as the Policy Override value for all feeds.

      image-20240812-115303.png
    7. Re-order the RPZs if required so that they are ordered as follows:

      1. allowlist.rpz

      2. walledgarden.rpz

      3. denylist.rpz

      4. infoblox-base.rpz.infoblox.local

      5. infoblox-base-ip.rpz.infoblox.local

      6. infoblox-high-risk.rpz.infoblox.local

    8. Restart DNS services now.

    9. Navigate to Data Management → DNS → Response Policy Zones. The Last Updated field for the BloxOne Threat Defense feeds shows the date and time of the last update.

      image-20240812-115619.png

It may take some time for the downloads to complete.

Task 5 Solution: Verify RPZ Feed action using dig and syslog

If you see the error message "Failed to reload network settings: No such file or directory", please re-enter "sudo set-network-static-nios".
  • Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

    • open a terminal window and issue the command sudo set-network-static-bloxone and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

      image-20240812-115823.png
  • Use dig and syslog entries to validate the local RPZ configurations.

    1. When using dig please specify the server 10.100.0.105 in the command using the @ symbol, i.e.: dig @10.100.0.105 <domain>

    2. Open a terminal window on the Testing-Linux machine. Use dig to perform a DNS query for eicar.stream or eicar.co or eicar.host.

      image-20240812-120146.png

      The NXDOMAIN response here is from public DNS resolvers not from our DNS Server, the output here is not that important we know our servers didn’t block it, since the SOA record is for a public DNS server and not one of our servers, to verify that further.

    3. Navigate to Administration → Logs → Syslog → Active. Select Member ibns1.techblue.net from the drop-down list.

    4. Choose RPZ Incidents from the Quick Filter drop-down list. Type <insert indicator used above> in the search box.

    5. Check syslog. In this example, the DNS Query for thejoe.publixvm.com is listed in the messages section, in CEF format. The query has matched a PASSTHRU rule in base.rpz.infoblox.local.

      image-20240812-120558.png
  • You verify that the base.rpz.infobox.local RPZ is detecting domain names that should be blocked by modifying the Policy Override value for base.rpz.infoblox.local. Change the value to None (Given).

    1. Navigate to Data Management → DNS → Response Policy Zones.

    2. Select the base.rpz.infoblox.local feed and click the hamburger icon. Select Edit.

    3. Change the Policy Override value to None(Given). Click Save & Close. We use None (Given) as the policy actions are already set in the rules inside the RPZ.

    4. Restart services when prompted.

    5. Repeat the dig command from step 1. Open a terminal window on Testing-Linux. Use dig to perform a DNS query for eicar.stream or eicar.co or eicar.host.. This time the query is blocked by the feed.

      image-20240812-120955.png

      This time the NXDOMAIN response is coming from our DNS server, meaning that the feeds are blocking the queries and we can further verify using the logs.

    6. View the record in syslog. This time the DNS response is NXDOMAIN – No Such Domain.

      image-20240812-121225.png

Task 6 Solution: Test RPZ Feed action by disabling and re-enabling them

  • In this task, you disable the base.rpz.infoblox.local feed and repeat the DNS Query for the A record of http://mydreamhoroscope.com.

    1. Navigate to Data Management → DNS → Response Policy Zones.

      1. Check the box next to infoblox-base.rpz.infoblox.local. Click the hamburger icon or the edit button to edit the zone.

        image-20240812-121427.png
      2. Click the General tab.

      3. Check the Disable box

      4. Click Save & Close

        image-20240812-121457.png
      5. Restart the services when prompted

    2. Open a terminal Window on the Testing-Linux machine

      1. Run the command dig eicar.stream or eicar.co or eicar.host. In the results, you can see the A record returned by the DNS Server. The domain has not been blocked. Without the Base RPZ feed, users are able to obtain the IP Address of malicious sites.

        image-20240812-121616.png
    3. Enable base.rpz.infoblox.local RPZ.

      1. Navigate to Data Management → DNS → Response Policy Zones.

      2. Check the box next to base.rpz.infoblox.local. Click the hamburger icon or the edit button to edit the zone.

        image-20240812-121735.png
      3. Make sure the Disable box is unchecked. Click Save & Close. Restart Services when prompted.

        image-20240812-121823.png

    4. Re-order the RPZ so that base.rpz.infoblox.local is below denylist.rpz. Restart Services when prompted.

    5. Repeat the dig command once more on Testing-Linux. Use dig to perform a DNS query for eicar.stream or eicar.co or eicar.host.. This time the query is blocked by the base.rpz.infoblox.local feed.

      image-20240812-120955.png
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.