Skip to main content
Skip table of contents

Configuring Substitute local RPZ rules in NIOS (2550)

This lab requires a NIOS 9.0 Lab Environment

This lab guide has been developed using the new NIOS 9.0 Lab Environment (experimental) lab. Please ensure that you deploy a NIOS 9.0 lab environment to complete these lab tasks. If you use a different lab environment, this is untested, and the lab likely will not work.

Scenario

As a measure to increase your corporate DNS security posture, a corporate compliance policy was created, the policy dictates what domains will be allowed and which ones will be blocked or modified. Your current task is to create a substitute policy redirecting users when accessing unwanted domains.

Learning Content

Estimate Completion Time

  • 20 to 25 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Requirements

  • Administrative access to the Grid

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  1. Create a local RPZ named walledgarden.rpz

  2. Re-arrange Response Policy Zones in the correct order

  3. Add a Substitute (Domain Name) Policy Rules to walledgarden.rpz

  4. Test Substitute Local RPZ Rules

Task 1: Create local RPZ - walledgarden.rpz

  • Create a local RPZ named walledgarden.rpz, use a previously configured server group called RPZ Local NSG.

Task 2: Rearrange Response Policy Zones in the correct order

  • Place the RPZs into the correct order, ensuring that traffic that should pass through is not blocked, and vice versa

    1. Allowlist.rpz

    2. Walledgarden.rpz

    3. Denylist.rpz

Task 3: Add Substitute (Domain Name) Policy Rules to walledgarden.rpz

  • Add a Substitute (Domain Name) rule to the walledgarden.rpz. Queries for the malware.signalorange.net domain should be redirected to walledgarden.techblue.net.

Task 5: Test Substitute Local RPZ Rules

  • Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

    • Open a terminal window, issue the command sudo set-network-static-nios, and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

  • Use dig and syslog entries to validate the local RPZ configurations.

Solutions

Task 1 Solution: Create local RPZ - walledgarden.rpz

In this task, you create a local RPZ called walledgarden.rpz. The RPZ is used to redirect queries for malware.signalorange.net to walledgarden.rpz.infoblox.com.

  1. On the jump-desktop machine, open a browser window and access https://10.100.0.100.

  2. Navigate to Data Management → DNS → Response Policy Zones.

  3. Click the plus (+) symbol to add a new RPZ.

    image-20250204-164415.png

  4. Select Add Local Response Policy Zone and click Next.

    image-20250204-164456.png

  5. Enter walledgarden.rpz for the name of the zone.

  6. Change the Severity to Warning.

  7. Select None (Given) for the Policy Override value.

    1. The policy will be specified in the rule.

  8. Type in a comment to describe the purpose of the RPZ.

  9. Click Next to continue.

    image-20250205-172429.png

  10. Select the Use this Name Server Group button.

  11. Choose RPZ Local NSG from the drop-down list.

  12. Click Save & Close.

    image-20250205-172515.png

  13. Restart Services when prompted.

    image-20250205-172628.png

Task 2 Solution: Rearrange Response Policy Zones in the correct order

In this task, we arrange the RPZs in the correct order, ensuring that traffic is targeted by the correct policy.

  1. Navigate to Data Management → DNS → Response Policy Zones.

  2. Click Order Response Policy Zones on the toolbar.

    image-20250205-173345.png

  3. Arrange the RPZs so that allowlist.rpz is first, walledgarden.rpz is second, and denylist.rpz is last.

  4. Click OK.

    image-20250205-173411.png

  5. Restart services when prompted.

Task 3 Solution: Add Substitute (Domain Name) Policy Rules to walledgarden.rpz

In this task, you add a Substitute (Domain Name) rule to the walledgarden.rpz. Queries for the malware.signalorange.net domain are redirected to walledgarden.techblue.net. We will start by creating an address record for walledgarden.techblue.net for the RPZ to substitute malware.signalorange.net for. Then, we will create two RPZ rules: one to substitute malware.signalorange.net and the second to substitute all of its subdomains.

  1. Navigate to Data Management → DNS → Zones.

  2. Click the link to techblue.net.

    image-20250205-173812.png

  3. Click the drop-down list for Add. Select A record.

    image-20250205-173934.png

  4. Enter the name walledgarden.

  5. Enter the IP Address 10.35.22.10.

  6. Click Save & Close and accept the warning prompt.

    image-20250205-174115.png

  7. Navigate to Data Management → DNS → Response Policy Zones.

  8. Click the link to walledgarden.rpz.

    image-20250205-174310.png

  9. Click the arrow next to the plus (+) symbol and select Substitute (Domain Name) Rule from the drop-down list.

  10. Select Substitute Domain Name (Domain Name) Rule.

    image-20250205-174420.png

  11. Enter malware.signalorange.net in the Name field.

  12. Enter walledgarden.techblue.net in the Substituted Name field.

  13. Type a Comment to describe the purpose of the rule.

  14. Click Save & Close.

    image-20250205-174639.png

  15. Click the arrow next to the plus (+) symbol and select Substitute (Domain Name) Rule from the drop-down list.

  16. Select Substitute Domain Name (Domain Name) Rule.

  17. Enter *.malware.signalorange.net in the Name field.

  18. Enter walledgarden.techblue.net in the Substituted Name field.

    image-20250205-175100.png

  19. Click Save & Close.

Task 4 Solution: Test Substitute Local RPZ Rules

The newly created RPZ must be tested to ensure that the malicious domain is being substituted. In this task, we will use dig and syslog entries to validate the local RPZ configurations.

  1. Switch over to the testing-linux machine with the credentials (training/infoblox) and set the machine up for testing.

    image-20250204-151349.png

    1. open a terminal window and issue the command sudo set-network-static-nios and verify that the machine now has the IP address 172.31.101.250 using the command ifconfig.

      image-20250204-151725.png

  2. Open a terminal window.

  3. Use the dig command dig @10.100.0.105 malware.signalorange.net. The DNS server returns the address record. The name substitution with a CNAME record is visible in the results.

    image-20250205-175656.png

  4. Switch back to jump-desktop.

  5. Under Administration → Logs → Syslog.

  6. Select Member ibns1.techblue.net from the drop-down list.

  7. Choose RPZ Incidents from the Quick Filter drop-down list.

  8. Click the Toggle Multi line view link.

    1. The DNS Query for malware.signalorange.net is listed in the messages section, in CEF format.

    2. The name malware.signalorange.net is rewritten to malware.signalorange.net.walledgarden.rpz.

    3. The query has matched a Substitute Domain Name rule in walledgarden.rpz.

      image-20250205-175933.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close