Starting DNS Infrastructure Protection in NIOS (2547)

This lab requires a lab environment with DNS Infrastructure Protection capability!
Please ensure that you have deployed a NIOS 9.0 Lab Environment (with DNS Infrastructure Protection) lab environment.

Scenario

You’re tasked with initiating the DNS Infrastructure Protection service in your environment for the first time. In this lab, your goal will be to start the DNS Infrastructure Protection service on extibns.techblue.net.

To achieve that, you will load the DNS Infrastructure Protection license into the Grid, manually upload an initial ruleset, set the service to monitor-mode to establish a baseline for our environment, ensure that there are no unintended effects on network traffic, and finally enable the service.

Estimate Completion Time

• 30 to 35 minutes

Prerequisites

• Lab 2546: Setting up NIOS for DNS Infrastructure Protection

Credentials

Requirements

• Administrative access to the Grid

• Usage of the NIOS Lab Environment (with DNS Infrastructure Protection) Lab environment

Tasks

1. Load DNS Infrastructure Protection License Files to the Grid

2. Upload an Initial Ruleset

3. Configure Rule Update and Ruleset Download Policies

4. Set DNS Infrastructure Protection Service to monitor-mode

5. Start the DNS Infrastructure Protection Service

Task 1: Load DNS Infrastructure Protection License Files to the Grid

Advanced DNS Protection (ADP) is an older name for the DNS Infrastructure Protection (DNS-IP) service; some system files still use the old name.

Add the DNS Infrastructure Protection license by navigating to Shared Drive/Licenses. Select the ADP.lic file

Task 2: Upload an Initial Ruleset

In this task, you upload a ruleset. Initially, an older ruleset is uploaded, allowing you to update to the latest ruleset later. Use the ruleset ruleset-20250702.bin2 from the Shared Drive file from the Shared Drive/NIOS-Imports folder.

Task 3: Configure Rule Update and Ruleset Download Policies

Set the Rule Update Policy to Manual, Enable Automatic Ruleset Downloads, and test the connection to ensure it works.

Task 4: Set DNS Infrastructure Protection Service to monitor-mode

Advanced DNS Protection (ADP) is an older name for the DNS Infrastructure Protection (DNS-IP) service; some system commands still use the old name.

Configure the DNS Infrastructure Protection service to use monitor-mode.

Task 5: Start the DNS Infrastructure Protection Service

Start the DNS Infrastructure Protection service on the extibns.techblue.net member, and restart the service if required

Solutions

Task 1 Solution: Load DNS Infrastructure Protection License Files to the Grid

In this task, we will load the DNS Infrastructure Protection license into the Grid. There should be two licenses bundled into the file. The first “DNS Infrastructure Protection” license enables the service on the Grid, while the second “DNS Infrastructure Protection Update” license allows the Grid to download and install the latest rule sets.

1. On the jump-desktop machine, open a browser window to https://10.100.0.100.

2. Navigate to Infoblox Grid → Licenses → Members.

3. Click the plus (+) symbol to add a new license.

4. Click Select File to upload the license file.

5. Navigate to Shared Drive/Licenses/9.0.

6. Select the ADP.lic file and click Open.

   1. Advanced DNS Protection (ADP) is an older name for the DNS Infrastructure Protection (DNS-IP) service; some system files still use the old name.

7. Click Verify License(s), then Save All Valid Licenses.

8. Click on the Show Filter link

9. Select Feature equals DNS Infrastructure Protection (software add-on), then click Apply.

   • Since DNS Infrastructure Protection in this lab runs on a virtual machine rather than a physical appliance, it is a software add-on rather than dedicated hardware.

10. Select Feature equals DNS Infrastructure Protection update, then click Apply.

    • This license allows DNS Infrastructure Protection rulesets to be automatically updated when configured.

Task 2 Solution: Upload an Initial Ruleset

In this task, we will start by manually uploading an older ruleset. This is done to demonstrate how it can be done and to allow for the automatic download of the latest ruleset in a later task.

For the DNS Infrastructure Protection service to start, at least one ruleset must be active. We can either manually download the latest ruleset from the Infoblox support portal or set the Grid to automatically download it and wait for it to finish downloading before we can start the service.

1. Navigate to Data Management → Security → DNS Infrastructure Protection Rules.

2. Click the plus (+) symbol to add a ruleset.

3. Click Select to upload a file.

4. Select the ruleset-20250702.bin2 file from the Shared Drive/NIOS-Imports folder.

5. Click Upload.

6. Click Test to verify that the ruleset file is not corrupted.

7. Click Update to update the rules.

8. Close the Rule File Upload window.

   1. The uploaded ruleset will become the active ruleset.

Task 3 Solution: Configure Rule Update and Ruleset Download Policies

In this task, we will test our Grid’s connection to the DNS Infrastructure Protection ruleset update servers and download the latest available ruleset for our use. We won't be activating it yet.

1. Navigate to Data Management → Security → DNS Infrastructure Protection Rules.

2. Select Grid Security Properties from the Toolbar.

3. Under DNS Infrastructure Protection → Basic, Set the Rule Update Policy to Manual.

4. Select the checkbox labeled "Enable Automatic Ruleset Downloads”.

5. Click Test Connection. When the test is successful, a blue banner displays at the top of the current window. Ensure the connection works.

6. Click Download Rules Now.

7. Click Save & Close.

8. There should be two rulesets.

9. Click the hamburger icon next to the old ruleset 20250702-16 and choose Activate from the list.

   1. The system will use the latest ruleset version by default. We will manually change the active ruleset in this lab because in a later lab, we will use other rulesets and profiles after customizing and tuning them.

Task 4 Solution: Set DNS Infrastructure Protection Service to monitor-mode

In this task, we configure the DNS Infrastructure Protection service to use monitor-mode. This enables us to establish a baseline for our environment and ensure that there are no unintended effects on network traffic.

The best practice is to always run DNS Infrastructure Protection in monitor mode for at least a week to establish traffic patterns.

1. Log in to the nios-4 VM console with credentials (admin/infoblox).

2. Issue the set adp monitor-mode on command.

   • This command will switch the DNS Infrastructure Protection service mode on extibns.techbue.net to monitor mode.

   • Advanced DNS Protection (ADP) is an older name for the DNS Infrastructure Protection (DNS-IP) service; some CLI commands still use the old name.

3. Issue the show adp monitor-mode command.

   • You should see that monitor mode is enabled, but the DNS Infrastructure Protection service is disabled. This is because we have not yet started the service on extibns.techblue.net.

Task 5 Solution: Start the DNS Infrastructure Protection Service

In this task, we will start the DNS Infrastructure Protection service on extibns.techblue.net. This process will take several minutes.

1. Switch back to jump-desktop.

2. Navigate to Data Management → Security → Members.

3. Select extibns.techblue.net and click Start in the Toolbar.

4. Click Yes to confirm starting the service.

5. Restart services when prompted.

6. Refresh the page to view the latest status for extibns.techblue.net.

   • The status is in yellow, because extibns.techblue.net is in monitoring mode.

   • It takes several minutes for the DNS Infrastructure Protection service to start