Skip to main content
Skip table of contents

2605 - Limiting Recursion with Named ACLs

Scenario

Your team decided to apply different security policies to your Grid members serving DNS. members will only accept queries originating from internal address space using named ACLs. Please make the necessary configuration changes in the Grid.

Estimate Completion Time

  • 20 to 25 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Requirements

  • Administrative DNS access to the Grid

  • Which networks can perform DNS queries (connect on port 53)

Course References

  • 1006: NIOS DNS Service Overview

  • 2009: Configuring NIOS DNS Services

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

Task 1: Named ACL and Limit Recursion

  • In this task, you will update the Grid DNS settings to protect against two attacks targeted at recursive servers.

    1. Login to the Grid Master IBGM (10.100.0.100):

      1. Navigate to Administration → Named ACLs

      2. Create a new ACL with the name Trusted Networks

      3. Add the two networks 10.100.0.0/24 and 10.200.0.0/24  and the host Jump-Desktop(10.35.22.10) to the list, then Save & Close.

      4. Navigate to Data Managment → DNS

      5. On the Toolbar click on Grid DNS Properties

      6. Select Queries and under the Allow queries from section choose Named ACL

      7. Click Select Nmaed ACL and choose Trusted Networks, then Save & Close

      8. Restart services when prompted.

Task 2: Verifying Recursion Limitations

  • In this task, you will verify that the configuration done in the previous step did work.

    1. On the Jump-Desktop(10.35.22.10):

      1. Open a terminal window

      2. Execute a dig command querying IBNS1 (10.100.0.105) for www.example.com

         dig @10.000.0.105 www.example.com.

        1. What was the response? why?

    2. On the Testing-Linux:

      1. Open a terminal window

      2. Execute the following command:

        sudo set-network-static-nios

        if you get this error message: Failed to reload network settings: No such file or directory, please re-execute the command once more


      3. Execute a dig command querying IBNS1 (10.100.0.105) for www.example.com

         dig @10.000.0.105 www.example.com.

        1. What was the response? why?



Solutions

Task 1: Named ACL and Limit Recursion

  1. Login to the Grid Master IBGM (10.100.0.100):

    1. Navigate to Administration → Named ACLs

    2. Create a new ACL with the name Trusted Networks

    3. Add the two networks 10.100.0.0/24 and 10.200.0.0/24  and the host Jump-Desktop(10.35.22.10) to the list, then Save & Close.



    4. Navigate to Data Managment → DNS

    5. On the Toolbar click on Grid DNS Properties

    6. Select Queries and under the Allow queries from section choose Named ACL

    7. Click Select Nmaed ACL and choose Trusted Networks, then Save & Close



    8. Restart services when prompted.


Task 2: Verifying Recursion Limitations

  • Detailed Analysis:

On the Jump-Desktop(10.35.22.10) our dig query will be responded to normally with the NOERROR response code and an A record, this is because we added the host to the Named ACL we used allowing this host to use the Grid's recursion services, ash shown the figure below:



However, once we move over to Testing-Linux which is after executing the command sudo set-network-static-nios has the IP address outside of the scope of our created Named ACL Trusted Networks, as we can see below:



So when we execute the same dig command on Testing-Linux the response is different, we get the REFUSED response with the warning message recursion requested but not available. Which is as we know is due to the ACL blocking us from using the Grid DNS recursion services.



This can also be verified by the syslog message for ibns1, shown below:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.