Skip to main content
Skip table of contents

Configuring Blocking local RPZ rules in NIOS (2549)


This lab requires a NIOS 9.0 Lab Environment

This lab guide has been developed using the new NIOS 9.0 Lab Environment (experimental) lab. Please ensure that you deploy a NIOS 9.0 lab environment to complete these lab tasks. If you use a different lab environment, this is untested, and the lab likely will not work.


Scenario

A corporate compliance policy was created to increase your corporate DNS security posture. The policy dictates what domains will be allowed and which ones will be blocked or modified. Your current task is to create a blocking policy to stop known malicious domains from being accessed.

Learning Content

Estimate Completion Time

  • 25 to 30 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Requirements

  • Administrative access to the Grid

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png


Tasks

  1. Create a local RPZ named denylist.rpz with an initial action of pass-thru

  2. Re-arrange Response Policy Zones in the correct order

  3. Add Block Domain Name Policy Rules to denylist.rpz

  4. Add Block IP Address Rule to denylist.rpz

  5. Add a Block Client IP Address Rule to denylist.rpz

  6. Test denylist.rpz to verify it is detecting the traffic and passing it through

  7. Modify denylist.rpz to Block traffic instead of passing it through

  8. Verify that traffic matching rules in denylist.rpz is now blocked

Task 1: Create local RPZ - denylist.rpz

  • Create a local RPZ named denylist.rpz to ensure DNS traffic from unwanted domains is allowed to pass through for now as a test, using a previously configured server group called RPZ Local NSG.

Task 2: Rearrange Response Policy Zones in the correct order

  • Place the RPZ’s into the correct order, ensuring that traffic that should pass through is not blocked, and vice versa

    1. Allowlist.rpz

    2. Denylist.rpz

Task 3: Add Block Domain Name Policy Rules to denylist.rpz

  • Add a rule to the denylist.rpz to block the eicar.net domain and all its sub-domains.

Task 4: Add Block IP Address Rule to denylist.rpz

  • Add a rule to block a destination IP Address 224.224.224.224 in the denylist.rpz.

    • This IP Address 224.224.224.224 is an Infoblox-owned IP we will use it to simulate a known bogon domain bogon.singalorange.net.

Task 5: Add Block Client IP Address Rule to denylist.rpz

  • Add a rule to block DNS queries from a specific client IP address. The address used in the lab is 172.31.101.250.

    • This is the IP address of the Testing-Linux machine; for this reason, the rule is left disabled until we test it.

Task 6: Test denylist.rpz Local RPZ Rules

  • Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

    • Open a terminal window and issue the command sudo set-network-static-nios and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

  • Use dig and syslog entries to validate the local RPZ configurations.

Task 7: Modify denylist.rpz to Block traffic

  • Change the Policy Override value for denylist.rpz to Block (No Such Domain)

Task 8: Verify denylist.rpz is blocking traffic

  • Switch over to the testing-linux machine with the credentials (training/infoblox).

  • Use dig and syslog entries to validate the local RPZ configurations.

    • Verify that queries to eicar.net and the IP address 224.224.224.224, and queries from 172.31.101.250 are blocked.

      • Enable the Block Client IP Address rule.


Solutions

Task 1 Solution: Create local RPZ - denylist.rpz

In this task, we create a local RPZ called denylist.rpz. The RPZ is initially created with Passthru mode. This allows you to test the RPZ without unintentionally blocking legitimate traffic.

  1. On the jump-desktop machine, open a browser window and surf https://10.100.0.100.

  2. Navigate to Data Management → DNS → Response Policy Zones.

  3. Click the plus (+) symbol to add a new RPZ.

    image-20250204-164415.png
  4. Select Add Local Response Policy Zone and click Next.

    image-20250204-164456.png
  5. Enter denylist.rpz for the name of the zone.

  6. Select Passthru from the drop-down list for the Policy Override value.

    1. NOTE: The Policy will be changed once the RPZ policy action is verified.

  7. Change the Severity to Critical.

  8. Type in a comment to describe the purpose of the RPZ.

  9. Click Next to continue.

    image-20250204-165543.png
  10. Select the Use this Name Server Group button.

  11. Choose RPZ Local NSG from the drop-down list.

    image-20250204-165637.png
  12. Click Save & Close.

  13. Restart Services when prompted.

    image-20250204-170209.png

Task 2 Solution: Rearrange Response Policy Zones in the correct order

In this task, we place the RPZs in the correct order, ensuring that traffic that should pass through is not blocked and vice versa. This will be very important when we eventually switch denylist.rpz to blocking traffic. We don't want it to accidentally block a domain that should be allowed, so we are placing it under allowlist.rpz.

  1. Navigate to Data Management → DNS → Response Policy Zones.

  2. Click Order Response Policy Zones on the toolbar.

    image-20250204-170515.png
  3. Arrange the RPZs so that allowlist.rpz is first, and denylist.rpz is second.

  4. Click OK.

    image-20250204-170629.png
  5. Restart services when prompted.

Task 3 Solution: Add Block Domain Name Policy Rules to denylist.rpz

In this task, we will add a first rule to the denylist.rpz to block eicar.net domain. We then add a second rule to the denylist.rpz to block all eicar.net subdomains, ensuring that they are blocked.

  1. Navigate to Data Management → DNS → Response Policy Zones.

  2. Click the link to denylist.rpz.

  3. Click the arrow next to the plus (+) symbol and select Block (No Such Domain) Rule from the drop-down list.

  4. Select Block Domain Name (No Such Domain) Rule.

    image-20250205-150739.png
  5. Enter eicar.net in the Name field.

  6. Type a Comment to describe the purpose of the rule.

    image-20250205-152330.png
  7. Click Save & Close.

  8. Click the arrow next to the plus (+) symbol and select Block (No Such Domain) Rule from the drop-down list.

  9. Select Block Domain Name (No Such Domain) Rule then enter *.eicar.net in the Name field.

  10. Type a Comment to describe the purpose of the rule.

  11. Click Save & Close.

    image-20250205-152444.png

Task 4 Solution: Add Block IP Address Rule to denylist.rpz

In this task, you add a rule to block a destination IP Address to the denylist.rpz. This IP Address 224.224.224.224 is an Infoblox-owned IP we will use it to simulate a known bogon domain bogon.singalorange.net.

  1. Navigate to Data Management → DNS → Response Policy Zones.

  2. Click the link to denylist.rpz.

  3. Click the arrow next to the plus (+) symbol and select Block (No Such Domain) Rule from the drop-down list.

  4. Select Block IP Address (No Such Domain) Rule.

    image-20250205-151308.png
  5. Enter 224.224.224.224 in the IP Address or Network field.

  6. Type a Comment to describe the purpose of the rule.

    image-20250205-155306.png
  7. Click Save & Close.

Task 5 Solution: Add Block Client IP Address Rule to denylist.rpz

In this task, you add a rule to block DNS queries from a specific client IP address. The address used in the lab is 172.31.101.250. This is the IP address of the testing-linux machine. For this reason, the rule is left disabled until we test it.

  1. Navigate to Data Management → DNS → Response Policy Zones.

  2. Click the link to denylist.rpz.

  3. Click the arrow next to the plus (+) symbol and select Block (No Such Domain) Rule from the drop-down list.

  4. Select Block Client IP Address (No Such Domain) Rule.

    image-20250205-151631.png
  5. Enter 172.31.101.250 in the Client IP Address or Network field.

  6. Type a Comment to describe the purpose of the rule.

  7. Check the Disable box.

    image-20250205-151743.png
  8. Click Save & Close.

Task 6 Solution: Test denylist.rpz Local RPZ Rules

The newly created RPZs must be tested to ensure that traffic is being passed through for now. In this task, we will use dig and syslog entries to validate the local RPZ configurations for eicar.host and the IP address 224.224.224.224. However, we will not be able to test the rule matching traffic coming from the testing-linux machine yet, as it is disabled.

  1. Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

    image-20250204-151349.png
    1. Open a terminal window, issue the command sudo set-network-static-nios, and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

      image-20250204-151725.png
  2. Open a terminal window.

  3. Use the dig command dig @10.100.0.105 eicar.net. The DNS server returns the address record. The DNS query and response have been allowed to pass through.

    image-20250205-152752.png
  4. Use the dig command dig @10.100.0.105 bogon.singalorange.net to perform a DNS query for the bogon domain. The DNS server returns the address record. The DNS query and response have been allowed to pass through.

    image-20250205-155508.png
  5. Switch back the the jump-desktop machine.

  6. Navigate to Administration → Logs → Syslog.

  7. Select the Member ibns1.techblue.net from the drop-down list.

  8. Choose RPZ Incidents Logs from the Quick Filter drop-down list.

    1. The DNS Query for eicar.net and 224.224.224.224 are listed in the messages section, in CEF format.

    2. The queries has matched a PASSTHRU rule in denylist.rpz.

    3. We are confident that the denylist.rpz policy is matching the DNS requests/responses we want it to.

      image-20250205-155948.png

Task 7 Solution: Modify denylist.rpz to Block traffic

In the previous task, we verified that the denylist.rpz is matching the traffic we plan to block. In this task, we change the Policy Override value for denylist.rpz to Block (No Such Domain) to be able to finally stop the unwanted traffic.

  1. Navigate to Data Management → DNS → Response Policy Zones.

  2. Click the hamburger icon to edit denylist.rpz.

    image-20250205-154128.png
  3. Select Block (No Such Domain) from the drop-down list for Policy Override.

  4. Click Save & Close.

    image-20250205-154239.png
  5. Restart the services when prompted.

Task 8 Solution: Verify denylist.rpz is Blocking traffic

In this task, we verify that queries to eicar.host and the IP address 151.101.38.253 and queries from 172.31.101.250 are blocked, we need to enable the testing-linux rule before testing it.

  1. Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

  2. Open a terminal window.

  3. Use the dig command dig @10.100.0.105 eicar.net. The DNS server should return an NXDOMAIN response.

    image-20250205-161250.png
  4. Use the dig command dig @10.100.0.105 bogon.singalorange.net to perform a DNS query for the bogon domain. The DNS server should return an NXDOMAIN response.

    image-20250205-161225.png
  5. Navigate back the the jump-desktop machine.

  6. Navigate to Data Management → DNS → Response Policy Zones.

  7. Click the link to denylist.rpz.

  8. Click the check box for the 172.31.101.250 rule.

  9. Click the hamburger icon, or the edit icon to edit the rule.

  10. Remove the check from the Disable box.

  11. Click Save & Close.

    image-20250205-162113.png
  12. Navigate back the the testing-linux machine.

  13. Open a terminal window.

  14. Use the dig command dig @10.100.0.105 training.infoblox.com. The DNS server should return an NXDOMAIN response because the request is coming from testing-linux.

    image-20250205-161156.png
  15. Switch back the the jump-desktop machine.

  16. Navigate to Administration → Logs → Syslog.

  17. Select the Member ibns1.techblue.net from the drop-down list.

  18. Choose RPZ Incidents from the Quick Filter drop-down list.

  19. Click Toggle Multi line view link.

    1. The DNS Query for eicar.net is listed in the messages section, in CEF format. The query has matched a Block No Such Domain rule in denylist.rpz.

      image-20250205-161443.png
    2. The DNS Query for 224.224.224.224 is listed in the messages section, in CEF format. The query has matched a Block No Such Domain rule in denylist.rpz.

      image-20250205-161916.png
    3. The DNS Query for training.infoblox.com is listed in the messages section, in CEF format. The query has matched a Client IPBlock No Such Domain rule in denylist.rpz.

      image-20250205-161711.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.