2550 - Configuring Substitute local RPZ rules in NIOS
Scenario
As a measure to increase your corporate DNS security posture, a corporate compliance policy was created, the policy dictates that specific Domains and IP Addresses are blocked for all users. Any user attempting to access a specific site must be redirected to a walled garden where they are presented with a web page outlining corporate policy.
Your current task is to create a Substitute policy redirecting users when accessing unwanted domains.
Course References
2031: Configuring Local RPZ in NIOS
Estimate Completion Time
20 to 25 minutes
Credentials
Description | Username | Password | URL or IP |
---|---|---|---|
Grid Manager UI | admin | infoblox |
Requirements
Administrative access to the Grid
Lab Initiation
Access jump-desktop
Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:
Username: training
Password: infoblox
Initiate lab
To initiate the lab, double-click the Launch Lab icon on the Desktop.
Choose the lab number from the list and click OK.
After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.
Lab initiation will take a couple of minutes to finish.
Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.
Tasks
Task 1: Apply the RPZ license to ibns1.techblue.net and ibns2.techblue.net
Task 2: Create local RPZ - walledgarden.rpz
Task 3: Arrange Response Policy Zones in correct order
Task 4: Add Substitute (Domain Name) Policy Rules to walledgarden.rpz
Task 5: Testing Substitute Local RPZ Rules
Task 1: Apply the RPZ license to ibns1.techblue.net and ibns2.techblue.net
Apply the RPZ license file stored on /mnt/shared/licenses.
Verify that DNS licenses are enabled and running on members that will be hosting RPZ.
Add the RPZ licenses located in the shared Drive/Licenses folder under the name RPZ.txt
Task 2: Create local RPZ - walledgarden.rpz
In this task, you create a local RPZ used to redirect queries for malware.signalorange.net
Create a Local RPZ named denylist.rpz
Set the override value to passthru and severity level to critical
Use the RPZ Local NSG server group
Verify the creation of the RPZ
Task 3: Arrange Response Policy Zones in correct order
Place the RPZ’s into the correct order, ensuring that traffic that should pass through is not blocked, and vice versa
Allowlist.rpz
Walledgarden.rpz
Denylist.rpz
Task 4: Add Substitute (Domain Name) Policy Rules to walledgarden.rpz
Add a Substitute (Domain Name) rule to the walledgarden.rpz. Queries for the malware.signalorange.net domain are redirected to walledgarden.techblue.net.
Task 5: Testing Substitute Local RPZ Rules
Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.
open a terminal window and issue the command
sudo set-network-static-nios
and verify that the machine now has the IP address 172.31.101.250 using the commandifconfig
.
Use dig and syslog entries to validate the local RPZ configurations.
When using dig please specify the server 10.100.0.105 in the command using the
@
symbol, i.e.:dig @10.100.0.105 <domain>
If you see the error message "Failed to reload network settings: No such file or directory", please re-enter "sudo set-network-static-nios".
Solutions
Task 1 Solution: Apply the RPZ license to ibns1.techblue.net and ibns2.techblue.net
In this task, you apply the RPZ license file stored on the Jump-desktop. The license file is called RPZ.txt and is located in the /home/training/Documents/Licenses folder.
Navigate to Grid → Licenses.
Click the plus (+) symbol to add the RPZ license.
Select the Upload License File radio button. Click Select File.
Navigate to shared Drive/Licenses. Click the RPZ.txt file and select Open.
Click Save License(s).
Click Filter On and use a quick filter to search for RPZ licenses. There are two licenses associated with ibns1.techblue.net as this member is part of an HA pair.
Task 2 Solution: Create local RPZ - walledgarden.rpz
In this task, you create a local RPZ called walledgarden.rpz. The RPZ is used to redirect queries for malware.signalorange.net to walledgarden.rpzdemo.infoblox.com.
Navigate to Data Management → DNS → Response Policy Zones.
Click the plus (+) symbol to add a new RPZ.
Select Add Local Response Policy Zone and click Next.
Enter walledgarden.rpz for the name of the zone. Change the Severity to Warning. Select None (Given) for the Policy Override value. The policy will be specified in the rules. Type in a comment to describe the purpose of the RPZ. Click Next to continue.
Select the Use this Name Server Group button. Choose RPZ Local NSG from the drop-down list. Click Save & Close.
Restart Services.
Verify the creation of each RPZ in the Audit Log. Navigate to Administration → Logs → Audit Log.
Click Toggle multi-line view. Click Show Filter. Use the Filter to search for CREATED Actions. The screenshot shows the creation of walledgarden.rpz. Scroll down to see the creation of denylist.rpz and allowlist.rpz. The table columns in your lab may not be in the same order as the screenshot. Scroll right to see all the columns.
Task 3 Solution: Arrange Response Policy Zones in the correct order
In this task, you place the RPZ’s into the correct order, ensuring that traffic that should pass through is not blocked, and vice versa.
Navigate to Data Management → DNS → Response Policy Zones.
Click Order Response Policy Zones on the toolbar.
Drag and drop the zones into the correct order. Alternatively, use the arrows to move the zones up or down in the list.
Arrange the RPZs so that allowlist.rpz is first, walledgarden.rpz is second, and denylist.rpz is third. Leave the rest of the policies in the same order and click OK.
Restart services.
Task 4 Solution: Add Substitute (Domain Name) Policy Rules to walledgarden.rpz
In this task, you add a Substitute (Domain Name) rule to the walledgarden.rpz. Queries for the malware.signalorange.net domain are redirected to walledgarden.techblue.net.
Add the DNS Address record for walledgarden.techblue.net.
Navigate to Data Management → DNS → Zones.
Click the link to techblue.net.
Click the drop-down list for Add. Select A record.
Complete the A record wizard. Enter the name walledgarden. Enter the IP Address 10.35.22.10. Click Save & Close.
Navigate to Data Management → DNS → Response Policy Zones.
Click the link to walledgarden.rpz.
Click the arrow next to the plus (+) symbol and select Substitute (Domain Name) Rule from the drop-down list. Select Substitute Domain Name (Domain Name) Rule.
Enter malware.signalorange.net in the Name field. Enter walledgarden.techblue.net in the Substituted Name field. Type a Comment to describe the purpose of the rule. Click Save & Close.
In this step, you add a rule to Substitute all the labels for the domain, ensuring DNS queries such as www.malware.signalorange.net will be redirected to walledgarden.techblue.net.
Click the arrow next to the plus (+) symbol and select Substitute (Domain Name) Rule from the drop-down list. Select Substitute Domain Name (Domain Name) Rule.
Enter *.malware.signalorange.net in the Name field. Enter walledgarden.techblue.net in the Substituted Name field. Type a Comment to describe the purpose of the rule. Click Save & Close.
Task 5 Solution: Testing Substitute Local RPZ Rules
If you see the error message "Failed to reload network settings: No such file or directory", please re-enter "sudo set-network-static-nios".
The newly created RPZs must be tested before being implemented in production. In this task, you use dig and syslog entries to validate the local RPZ configurations.
Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.
open a terminal window and issue the command
sudo set-network-static-nios
and verify that the machine now has the IP address 172.31.101.250 using the commandifconfig
Open a terminal window on the Testing-linux machine. Use dig to perform a DNS query for malware.signalorange.net . The name substitution with a CNAME record is visible in the results.
Navigate back to Jump-Desktop, Under Administration → Logs → Syslog. Select Member ibns1.techblue.net from the drop-down list.
Choose RPZ Incidents from the Quick Filter drop-down list. The DNS Query for malware.signalorange.net is listed in the messages section, in CEF format. The name malware.signalorange.net is re-written to malware.signalorange.net.walledgarden.rpz. The query has matched a Substitute Domain Name rule in walledgarden.rpz.