Skip to main content
Skip table of contents

2543 - NIOS Threat Defense RPZ Feeds


Scenario

As part of a security initiative, the company has purchased subscriptions to Infoblox BloxOne Threat Defense.

You are tasked with adding specific Infoblox BloxOne Threat Defense feeds to your RPZ configuration. You will check the creation of the new RPZs. Once the zones are downloaded you will test them.

In order to download the RPZ feeds, you need to log in to the Infoblox Cloud Services Portal (CSP) https://csp.infoblox.com. Your credential for accessing CSP is on the Learning Portal.

Course References

  • 2032: Configuring Threat Defense RPZ feeds in NIOS

Estimate Completion Time

  • 45 to 55 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Requirements

  • Administrative access to the Grid

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  • Task 1: Log into CSP and copy the RPZ feed names and credentials

  • Task 2: Log into the NIOS grid and create RPZ DNSFW NSG name server group

  • Task 3: Configure RPZ Feeds into the NIOS GRID

  • Task 4: Export RPZ feed data

  • Task 5: Verify RPZ Feed action using dig and syslog

  • Task 6: Test RPZ Feed action by disabling and re-enabling them


Task 1: Log into CSP and copy the RPZ feed names and credentials

  • obtain your credentials for CSP from the Learning Portal. You log into the CSP Service Portal. You obtain information about the feeds, IP address of servers providing the feeds, and your feed authentication credentials (TSIG Credentials).

    • Base

    • Anti-Malware

    • Anti-Ransomware

    • Bogon

  • Copy the RPZ names and your server IP and TSIG credentials into a text file for use later. Use Geany (text editor) to save the feed information for later use.

  • Use the CSP account details provided on the Learning portal to log into CSP.

Task 2: Log into the NIOS grid and create RPZ DNSFW NSG name server group

  • Create a name server group called RPZ DNSFW NSG. This name server group is used by the Infoblox RPZ feeds

  • Use the server information you obtained from CSP and add an external primary server

    • Ibns1.techblue.net is a lead secondary

    • Ibns2.techblue.net is a secondary

  • You must choose DNS Zone Transfers for the Update Zones Using method

You get an error if you try and add a name server group with Grid Replication as the Update Zones Using method to an RPZ

Task 3: Configure RPZ Feeds into the NIOS GRID

  • Configure an RPZ for each feed separately. Initially, each RPZ is configured in Passthru Policy Override mode. Once they have been successfully tested, and you confirm that they don’t cause issues with legitimate traffic, they are put into None (Given) Policy Override Mode.

  • Re-order the RPZs if required so that they are ordered as follows:

    1. allowlist.rpz

    2. walledgarden.rpz

    3. denylist.rpz

    4. base.rpz.infoblox.local

    5. antimalware.rpz.infoblox.local

    6. ransomware.rpz.infoblox.local

    7. bogon.rpz.infoblox.local

Task 4: Export RPZ feed data

  •  Export the data from the base feed. To check an RPZ feed, you need to know a domain/IP Address that will trigger a Block Domain (No Such Domain) Rule.

  • Copy some of the trigger domains into a text file for use later, Use Geany (text editor) to save the save the feed information.

Task 5: Verify RPZ Feed action using dig and syslog

If you see the error message "Failed to reload network settings: No such file or directory", please re-enter "sudo set-network-static-nios".
  • Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

    • open a terminal window and issue the command sudo set-network-static-nios and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

  • Use dig and syslog entries to validate the local RPZ configurations.

    • When using dig please specify the server 10.100.0.105 in the command using the @ symbol, i.e.: dig @10.100.0.105 <domain>

    • Use the indicator from the Learning Portal or one of the trigger domains you saved earlier for this exercise.

  • You verify that the base.rpz.infobox.local RPZ is detecting domain names that should be blocked.

  • You then change the Override Policy for base.rpz.infoblox.local from Passthru to Block (No Such Domain) and test again using dig and syslog.

Task 6: Test RPZ Feed action by disabling and re-enabling them

  • Disable the base.rpz.infoblox.local feed and repeat the DNS Query for the A record for the previously tested domains.

  • Once verified that the domains are accessible, re-enable the base.rpz.infoblox.local feed and re-order the RPZ list to its previous ordering in task 3


Solutions

Task 1 Solution: Log into CSP and copy the RPZ feed names and credentials

You can access the Learning Portal using the web browser from within your lab environment, this will enable you to easily copy and paste the CSP credentials.

  • In this task, you obtain your credentials for CSP from the Learning Portal. You log into the CSP Service Portal. You obtain information about the feeds, the IP addresses of the servers providing the feeds, and your feed authentication credentials (TSIG Credentials).

  • Copy the RPZ names, and your TSIG credentials into a text file for use later, Use Geany (text editor) to save the save the feed information for later use.

  • Use the CSP account details provided on the Learning portal to log into CSP.

    1. Open a new tab in the web browser. Navigate to https://csp.infoblox.com

      1. Enter your username and password from the Learning Portal.

      2. Navigate to PoliciesOn-prem DNS Firewall.

      3. Click the On-prem DNS Firewall Configuration link.

    2. Copy the RPZ names to a text editor. This step is for convenience. You can simply copy and paste the values when you create the new RPZ if you prefer.

      1. Open a text editor on the Jump-Desktop. Click the Infoblox logo on the bottom left of the Desktop. Click the Geany icon.

      2. Click the Step 2 Feeds Configuration Values link.

      3. Click the Copy button to copy the RPZ name for the Base feed.

      4. Paste the name of the Base RPZ into the editor.

      5. Repeat the process for the AntiMalware, Ransomware, and Bogon RPZs.

      6. Close the Threat Feed Details page.

      7. Click the Step 3 Distribution Server Configuration Values link.

      8. Copy the values for Name, Distribution Server, Key Name, TSIG Key, and Key Algorithm to your text editor.
        Make sure you use the copy button rather than highlight, select, and paste. You might not get the whole key if you don’t use the copy button.

        image-20240116-130257.png
        image-20240116-130439.png

These specific RPZs have been chosen to ensure they don’t exceed the capacity of the NIOS appliances in your lab environment.

Task 2 Solution: Log into NIOS grid and create RPZ DNSFW NSG name server group

  • In this task, you create a name server group called RPZ DNSFW NSG. This name server group is used by the Infoblox RPZ feeds.

    1. Navigate to Data Management → DNS → Name Server Groups

      1. Click the drop-down arrow next to the plus (+) symbol to add a new Authoritative Name Server Group.

      2. Type RPZ DNSFW NSG in the Name field. Click the drop-down arrow next to the plus (+) symbol and select External Primary.

      3. Add the details for the External Primary Name Server.

        1. In this example, the US West Distribution Server is used.

        2. Use Name you saved earlier for the server name.

        3. The IP Address is 54.69.93.185.

        4. Click the Use TSIG button.

        5. Copy your Key Name and Key Data from the CSP Portal, or the file you copied them to.

        6. Click the Add button.

      4. Click the drop-down arrow next to the plus (+) symbol and select Grid Secondary.

      5. Click Select, Select ibns1.techblue.net from the Member Selector.

      6. Check the Lead Secondary box. Click Add.

      7. Click the drop-down arrow next to the plus (+) symbol. Click Grid Secondary.

      8. Click Select, Select ibns2.techblue.net from the Member Selector.

      9. Click Add then Save & Close.

Task 3 Solution: Configure RPZ Feeds into the NIOS GRID

  • In this task, you create the RPZ configuration for the feeds. Initially, each RPZ is configured in Passthru Policy Override mode. Once they have been successfully tested, and you confirm that they don’t cause issues with legitimate traffic, they are put into None (Given) Policy Override Mode.

    1. Navigate to Data Management → DNS → Response Policy Zones.

    2. Click the check button for Add Response Policy Zone Feed. Click Next.

    3. Copy the name from your text file, or type, base.rpz.infoblox.local into the name field. Select Passthru as the Policy Override value. Add a description for the zone. Click Next.

    4. Choose to Use this Name Server Group. Select RPZ DNSFW NSG and click Save & Close.

    5. Do NOT restart services yet

    6. Repeat Steps b, c and d to add the AntiMalware, Ransomware, and Bogon RPZ Feeds. Use Passthru as the Policy Override value for all feeds.

    7. Re-order the RPZs if required so that they are ordered as follows:

      1. allowlist.rpz

      2. walledgarden.rpz

      3. denylist.rpz

      4. base.rpz.infoblox.local

      5. antimalware.rpz.infoblox.local

      6. ransomware.rpz.infoblox.local

      7. bogon.rpz.infoblox.local

    8. Restart DNS services now.

    9. Navigate to Data Management → DNS → Response Policy Zones. The Last Updated field for the BloxOne Threat Defense feeds shows the date and time of the last update.

It may take some time for the downloads to complete.

Task 4 Solution: Export RPZ feed data

  • To check an RPZ feed, you need to know a domain/IP Address that will trigger a Block Domain (No Such Domain) Rule. To discover this, you export the data from the base feed.

    1. Navigate to Data Management → DNS → Response Policy Zones.

    2. Click the link to the base.rpz.infoblox.local RPZ feed.

    3. The Export wizard opens. Notice the message informing you that a large RPZ feed zone can take a long time to export. Click Start.

    4. The export CSV file will be downloaded to the Linux Desktop in the /home/training/Downloads folder.

    5. Open the CSV file that was just downloaded. A Text Import wizard opens for the base.rpz.infoblox.local.csv file. Click OK

    6. The file opens in LibreOffice Calc, an office tool that includes spreadsheet functions. Inside the file you can see:

      1. The Name or Address that is blocked

      2. The Policy – Block NXDOMAIN

      3. Information about the external name servers for this RPZ feed

    7. Search, or scroll down, to see the thejoe.publicvm.com domain entry.

    8. Click FileExit LibreOffice to close LibreOffice.

Task 5 Solution: Verify RPZ Feed action using dig and syslog

If you see the error message "Failed to reload network settings: No such file or directory", please re-enter "sudo set-network-static-nios".
  • Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

    • open a terminal window and issue the command sudo set-network-static-nios and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

  • Use dig and syslog entries to validate the local RPZ configurations.

    1. When using dig please specify the server 10.100.0.105 in the command using the @ symbol, i.e.: dig @10.100.0.105 <domain>

    2. Use the indicator from the Learning Portal or one of the trigger domains you saved earlier for this exercise.

    3. Open a terminal window on the Testing-Linux machine. Use dig to perform a DNS query for eicar.stream or eicar.co or eicar.host.

    4. Navigate to Administration → Logs → Syslog → Active. Select Member ibns1.techblue.net from the drop-down list.

    5. Choose RPZ Incidents from the Quick Filter drop-down list. Type <insert indicator used above> in the search box.

    6. Check syslog. In this example, the DNS Query for thejoe.publixvm.com is listed in the messages section, in CEF format. The query has matched a PASSTHRU rule in base.rpz.infoblox.local.

  • You verify that the base.rpz.infobox.local RPZ is detecting domain names that should be blocked by modifying the Policy Override value for base.rpz.infoblox.local. Change the value to None (Given).

    1. Navigate to Data Management → DNS → Response Policy Zones.

    2. Select the base.rpz.infoblox.local feed and click the hamburger icon. Select Edit.

    3. Change the Policy Override value to None(Given). Click Save & Close. We use None (Given) as the policy actions are already set in the rules inside the RPZ.

    4. Restart services when prompted.

    5. Repeat the dig command from step 1. Open a terminal window on Testing-Linux. Use dig to perform a DNS query for eicar.stream or eicar.co or eicar.host.. This time the query is blocked by the base.rpz.infoblox.local feed.

    6. View the record in syslog. This time the DNS response is NXDOMAIN – No Such Domain.

Task 6 Solution: Test RPZ Feed action by disabling and re-enabling them

  • In this task, you disable the base.rpz.infoblox.local feed and repeat the DNS Query for the A record of http://mydreamhoroscope.com.

    1. Navigate to Data Management → DNS → Response Policy Zones.

      1. Check the box next to base.rpz.infoblox.local. Click the hamburger icon or the edit button to edit the zone.

      2. Click the General tab.

      3. Check the Disable box

      4. Click Save & Close

      5. Restart the services when prompted

    2. Open a terminal Window on the Testing-Linux machine

      1. Run the command dig eicar.stream or eicar.co or eicar.host. In the results, you can see the A record returned by the DNS Server. The domain has not been blocked. Without the Base RPZ feed, users are able to obtain the IP Address of malicious sites.

    3. Enable base.rpz.infoblox.local RPZ.

      1. Navigate to Data Management → DNS → Response Policy Zones.

      2. Check the box next to base.rpz.infoblox.local. Click the hamburger icon or the edit button to edit the zone.

      3. Make sure the Disable box is unchecked. Click Save & Close. Restart Services when prompted.

    4. Re-order the RPZ so that base.rpz.infoblox.local is below denylist.rpz. Restart Services when prompted.

    5. Repeat the dig command once more on Testing-Linux. Use dig to perform a DNS query for eicar.stream or eicar.co or eicar.host.. This time the query is blocked by the base.rpz.infoblox.local feed.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.