Skip to main content
Skip table of contents

NIOS Threat Defense RPZ Feeds (2543)

This lab requires a NIOS 9.0 Lab Environment

This lab guide has been developed using the new NIOS 9.0 Lab Environment. Please ensure that you deploy a NIOS 9.0 lab environment to complete these lab tasks. If you use a different lab environment, this is untested, and the lab likely will not work.

Scenario

As part of a security initiative, your organization has purchased subscriptions to Infoblox Threat Defense. You are tasked with adding and testing Threat Defense feeds to your current RPZ configuration in a simulated lab environment before deploying them in production.

Estimate Completion Time

  • 30 to 45 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Requirements

  • Administrative access to the Grid

  • Administrative access to the Infoblox Portal

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  1. Obtain Threat Defense RPZ feed names and feed server details from the Infoblox Portal (IP)

  2. Create a new name server group named RPZ DNSFW NSG to use feed servers from Threat Defense

  3. Add Threat Defense RPZ feeds into the NIOS Grid

  4. Reorder all the RPZs to follow Infoblox guidelines

  5. Verify that the newly added Threat Defense RPZ feeds are detecting malicious domains to be blocked

  6. Change the Override Policy for infoblox-base.rpz.infoblox.local to None (Given)

  7. Test if the Threat Defense RPZ feeds are blocking malicious domains

Task 1: Obtain Threat Defense RPZ feed names and feed server details from the Infoblox Portal (IP)

Use Geany (text editor) to save RPZ names, server IP, and TSIG credentials for later use.

These specific RPZs have been chosen to ensure they don’t exceed the capacity of the NIOS appliances in your lab environment.

  • Use your Education Infoblox Portal Credentials to log into the Infoblox Portal. Obtain feed names for Infoblox-Base and Infoblox-Base-IP, IP addresses of the authoritative Threat Defense feed servers, and the feed authentication credentials (TSIG Credentials).

Task 2: Create a new name server group to use the authoritative feed servers from Threat Defense

  • Create a name server group called RPZ DNSFW NSG to use the authoritative feed servers from Threat Defense. Use the server information you obtained from the Infoblox portal to add an external primary server with Ibns1.techblue.net as a lead secondary and Ibns2.techblue.net as a secondary.

Task 3: Add Threat Defense RPZ feeds into the NIOS Grid

  • Configure an RPZ for each feed separately. Set the Policy Override mode to Passthru. Once they have been successfully tested, and we confirm that they don’t cause issues with legitimate traffic, we will switch them over to None(Given) in a later task.

Task 4: Reorder all the RPZs to follow Infoblox guidelines

  • RPZs should be ordered based on a combination of Confidence and Threat Levels; the Higher the Confidence and Threat levels, the higher the order of the RPZ should be.

  • In this example, we have three local RPZs (allowlist.rpz, walledgarden.rpz, and denylist.rpz). These are local RPZs, which means that their entries are manually created, and we are very confident in their work. This is why they are at the top of the list in the order our organization sees fit, followed by RPZ feeds we download from Threat Defense.

  • To order Threat Defense Feed RPZs amongst each other, we can use Infoblox’s documentation to get each feed’s Confidence and Threat levels to order them correctly.

  • Re-order the RPZs if required so that they are ordered as follows:

    1. allowlist.rpz

    2. walledgarden.rpz

    3. denylist.rpz

    4. infoblox-base.rpz.infoblox.local

    5. infoblox-base-ip.rpz.infoblox.local

Task 5: Verify that the newly added Threat Defense RPZ feeds are detecting malicious domains to be blocked

  • Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

    • Open a terminal window, issue the command sudo set-network-static-nios, and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

  • Use dig and syslog entries to verify that the infoblox-base.rpz.infoblox.local RPZ is detecting domain names that should be blocked.

    • Use one or more from the following domains:

      • apt.eicar.network

      • base.eicar.network

      • compromiseddomain.eicar.network

      • compromisedhost.eicar.network

      • exploitkit.eicar.network

      • maliciousnameserver.eicar.network

      • sinkhole.eicar.network

Task 6: Change the Override Policy for infoblox-base.rpz.infoblox.local to None (Given)

  • Switch over to jump-desktop and change the Override Policy for infoblox-base.rpz.infoblox.local and infoblox-base-ip.rpz.infoblox.com from Passthru to None (Given).

Task 7: Test if the Threat Defense RPZ feeds are blocking malicious domains

  • Switch over to the testing-linux machine, use dig and syslog entries to verify that the infoblox-base.rpz.infoblox.local RPZ is blocking malicious domains.

    • Use one or more from the following domains:

      • apt.eicar.network

      • base.eicar.network

      • compromiseddomain.eicar.network

      • compromisedhost.eicar.network

      • exploitkit.eicar.network

      • maliciousnameserver.eicar.network

      • sinkhole.eicar.network

Solutions

Task 1 Solution: Log into the Infoblox portal and copy the RPZ feed names and credentials

In this task, our goal is to obtain the names of the RPZ feeds we will use in our environment. In this lab, we will use infoblox-base and infoblox-base-ip. We also need to get the name server details of the authoritative servers for these RPZ feeds. We will use the Infoblox Portal to obtain this information.

Use Geany (a text editor) to save RPZ names, server IPs, and TSIG credentials for later use.

These specific RPZs have been chosen to ensure they don’t exceed the capacity of the NIOS appliances in your lab environment.

  1. On the jump-desktop machine, open a browser window.

  2. Use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

  3. Enter your username and password from the Learning Portal.

  4. Navigate to Configure → Security → On-prem DNS Firewall.

    image-20241113-101607.png

  5. Click the Infoblox logo on the bottom left of the Desktop in jump-desktop.

  6. Click the Geany icon.

    image-20250206-145705.png

  7. Click the Step 2 Feeds Configuration Values link.

  8. Click the Copy button to copy the RPZ name for the infoblox-base feed.

    image-20250206-145932.png

  9. Paste the name of the infoblox-base RPZ into the editor.

  10. Repeat the process for the Infoblox-based-ip RPZ.

    image-20250910-141615.png

  11. Close the Threat Feed Details page.

  12. Click the Step 3 Distribution Server Configuration Values link.

  13. Copy the values for Distribution Server, Key Name, TSIG Key, and Key Algorithm to your text editor.

    image-20250206-151501.png

  14. Make sure you use the copy button rather than highlight, select, and paste. You might not get the whole key if you don’t use the copy button.

    image-20250910-142051.png

Task 2 Solution: Create a new name server group to use the authoritative feed servers from Threat Defense

In this task, we create a name server group called RPZ DNSFW NSG. In a later step, Threat Defense RPZ feeds will use this name server group.

  1. On the jump-desktop machine, open a browser window and access https://10.100.0.100

  2. Navigate to Data Management → DNS → Name Server Groups

  3. Click the drop-down arrow next to the plus (+) symbol to add a new Authoritative Name Server Group.

    image-20250206-152629.png

  4. Type RPZ DNSFW NSG in the Name field.

  5. Click the drop-down arrow next to the plus (+) symbol and select External Primary.

    image-20250206-152746.png

  6. Enter a name for the Infoblox Portal Server.

  7. Enter the IPv4 address of the server you saved earlier for the Infoblox Portal.

  8. Click the Use TSIG button.

  9. Copy your Key Name and Key Data from the Infoblox portal.

  10. Click the Add button.

    image-20250910-142333.png

  11. Click the drop-down arrow next to the plus (+) symbol and select Grid Secondary.

    image-20250206-153233.png

  12. Click Select, Select ibns1.techblue.net from the Member Selector.

  13. Check the Lead Secondary box.

  14. Click Add.

    image-20250206-153323.png

  15. Click the drop-down arrow next to the plus (+) symbol. Click Grid Secondary.

  16. Click Select, Select ibns2.techblue.net from the Member Selector.

    image-20250206-153419.png

  17. Click Add, then Save & Close.

Task 3 Solution: Add Threat Defense RPZ feeds into the NIOS Grid

In this task, we will add an RPZ for each feed we copied separately and set the Policy Override mode to Passthru. This is to test how the feeds are going to affect our current DNS behaviour, and if the feeds will match any traffic that we don't want to be blocked, we will change the Policy Override mode to block traffic in a later step.

  1. Navigate to Data Management → DNS → Response Policy Zones.

  2. Click the check button for Add Response Policy Zone Feed.

  3. Click Next.

    image-20250206-154325.png

  4. Copy the name from your text file, or type, infoblox-base.rpz.infoblox.local into the name field.

  5. Select Passthru as the Policy Override value.

  6. Add a description for the zone.

  7. Click Next.

    image-20250206-154439.png

  8. Choose to Use this Name Server Group.

  9. Select RPZ DNSFW NSG

  10. Click Save & Close.

    image-20250206-154542.png

  11. Repeat Steps 4 to 10 to add the infoblox-base-ip RPZ Feeds.

  12. Use Passthru as the Policy Override value for all feeds.

    image-20250910-130326.png

  13. Restart Services when prompted.

Task 4 Solution: Reorder all the RPZs to follow Infoblox guidelines

RPZs (Response Policy Zones) should be prioritized based on a combination of Confidence and Threat Levels; the higher the Confidence and Threat Levels, the higher the priority of the RPZ. In this example, we have three local RPZs: allowlist.rpz, walledgarden.rpz, and denylist.rpz. These are classified as local RPZs because their entries are manually created, and we have a high level of confidence in their effectiveness. Therefore, they are positioned at the top of our organization's priority list, followed by RPZ feeds downloaded from Threat Defense. To prioritize Threat Defense Feed RPZs against one another, we can refer to Infoblox’s documentation to obtain the Confidence and Threat Levels for each feed, allowing us to order them correctly.

In this task, we will reorder the RPZs following Infoblox guidelines while waiting for the feeds to be downloaded from Threat Defense to our NIOS Grid.

  1. Navigate to Data Management → DNS → Response Policy Zones.

  2. Click Order Response Policy Zones on the toolbar.

    image-20250910-130539.png

  3. Re-order the RPZs if required so that they are ordered as follows:

    1. allowlist.rpz

    2. walledgarden.rpz

    3. denylist.rpz

    4. infoblox-base.rpz.infoblox.local

    5. infoblox-base-ip.rpz.infoblox.local

  4. Click OK.

  5. Restart services when prompted.

  6. Use the refresh icon to update the Last Updated field, which shows the date and time of the last feed update.

Task 5 Solution: Verify that the newly added Threat Defense RPZ feeds are detecting malicious domains to be blocked

The feeds may take some time to download into the Grid. Before proceeding with this task, make sure the Last Updated column is populated for the feeds. This process can take approximately 15–20 minutes.

In this task, we will use dig and syslog entries to validate that infoblox-base.rpz.infoblox.local is catching malicious DNS domains. They won't be blocked yet, but we should be able to see logs verifying that the feed matches the traffic.

  1. Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

    image-20250204-151349.png

    • Open a terminal window, issue the command sudo set-network-static-nios, and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

      image-20250910-131446.png

  2. Use this dig command dig @10.100.0.105 <DOMAIN NAME> against one or more of the following domains: apt.eicar.network, base.eicar.network, compromiseddomain.eicar.network, compromisedhost.eicar.network, exploitkit.eicar.network, maliciousnameserver.eicar.network, and sinkhole.eicar.network.

    1. The NXDOMAIN response here is from public DNS resolvers, not from our DNS Server. The output here is not that important; we know our servers didn’t block it. Since the SOA record is for a public DNS server and not one of our servers, we need to verify that further.

      image-20250910-135703.png

  3. Switch back to jump-desktop.

  4. Navigate to Administration → Logs → Syslog.

  5. Select Member ibns1.techblue.net from the drop-down list.

  6. Choose RPZ Incidents from the Quick Filter drop-down list.

  7. Click the Toggle Multi line view link.

  8. Type eicar.network in the search box.

    • In this example, the DNS Query for base.eicar.network is listed in the messages section in CEF format. The query matches a PASSTHRU rule in base.rpz.infoblox.local.

      image-20250910-140019.png

Task 6 Solution: Change the Override Policy for infoblox-base.rpz.infoblox.local to None (Given)

In this task, we will set the Policy Override mode to None (Given) so that the downloaded RPZ can enforce its default action on matching traffic. For the feeds we’ve selected and the test domains in use, this default action is to block traffic.

  1. Navigate to Data Management → DNS → Response Policy Zones.

  2. Select the infoblox-base.rpz.infoblox.local feed and click the hamburger icon.

  3. Select Edit.

  4. Change the Policy Override value to None(Given).

    image-20250206-163339.png

  5. Click Save & Close.

  6. Restart services when prompted.

Task 7 Solution: Test if the Threat Defense RPZ feeds are blocking malicious domains

  1. We will use the same dig command dig @10.100.0.105 <DOMAIN NAME> against one or more of the following domains: apt.eicar.network, base.eicar.network, compromiseddomain.eicar.network, compromisedhost.eicar.network, exploitkit.eicar.network, maliciousnameserver.eicar.network, and sinkhole.eicar.network.

  2. We receive an NXDOMAIN response message for each query we send, this time with an. empty A record, indicating that our RPZ feed is blocking malicious traffic.

    image-20250910-140441.png

  3. Switch back to jump-desktop.

  4. Navigate to Administration → Logs → Syslog.

  5. Select Member ibns1.techblue.net from the drop-down list.

  6. Choose RPZ Incidents from the Quick Filter drop-down list.

  7. Click the Toggle Multi line view link.

  8. Type eicar.network in the search box.

    • In this example, the DNS Query for eicar.stream is listed in the messages section in CEF format. The query matches an NXDOMAIN rule in base.rpz.infoblox.local.

      image-20250910-140725.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close