3534 - Tuning ADP for Authoritative DNS servers in NIOS
This lab requires a lab environment with Advanced DNS Protection capability!
Please ensure that you have deployed a NIOS Lab Environment (with Advanced DNS Protection) lab environment.
Scenario
Your organization has recently enabled ADP and set it to be in monitor mode. Your organization is only using ADP for authoritative DNS servers. You are tasked to set a DNS usage baseline and to manage and tune ADP rules and categories to fit your organization’s needs.
Estimate Completion Time
35 to 45 Minutes
Credentials
Description | Username | Password | URL or IP |
|---|---|---|---|
Grid Manager UI | admin | infoblox | |
NIOS-4 VM | admin | infoblox |
Course References
3034: Advanced DNS Protection Tuning in NIOS
Lab Initiation
Access jump-desktop
Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:
Username: training
Password: infoblox
Initiate lab
To initiate the lab, double-click the Launch Lab icon on the Desktop.
Launch Lab
Choose the lab number from the list and click OK.
After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.
Lab initiation will take a couple of minutes to finish.
Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.
Tasks
Task 1: Verifying the lab state
Task 2: Setting up the Reporting Server
Task 3: Identifying Outliers
Task 4: Establishing a Baseline
Task 5: Creating a Profile for Tuned Rulesets
Task 6: Managing Rule Enabled/Disabled Categories
Task 7: Tuning Default Rules in the External - Tuned Profile
Task 8: Testing the new Configuration
Task 1: Verifying the lab state
Before starting this lab, you must verify the Grid member extibns.techblue.net (nios-4) is part of the Grid and has the correct license. When ADP licenses are loaded correctly, they appear as Threat Protection in the user interface.
If the license is missing, load the license file available in the jump-desktop file system at Shared Drive/licenses/ADP.lic
Task 2: Setting up the Reporting Server
Set up the reporting server with the following information:
Configuration | Value |
Username | training |
Password | infoblox |
Protocol | SCP |
Host/ IP Address | 10.100.0.205 |
Port | 22 |
Path | /home/training/Documents/ReportingData |
Task 3: Identifying Outliers
Use the Reporting Server dashboards to identify noisy clients.
The Grid will need 30 to 35 minutes to completely load up and be ready for Tuning.
The ADP server hasn’t been running for long enough, so dashboards such as DNS Daily Peak Hour Query Rate by Member might not be accurate or useful in this instance. However, this is an important dashboard to check in a production system where ADP had been running for several days or weeks.
Task 4: Establishing a Baseline
You need to establish the normal rate of DNS queries per second to be able to tune ADP accordingly. Use the Reporting Server dashboards to do so.
The information you want to gather here is usually found under Hourly Grid-wide QPS, DNS Query Rate by Member, or Daily Peak Hour Query Rate by Member.
Task 5: Creating a Profile for Tuned Rulesets
Create a new ADP profile named External - Tuned. Override the Active Ruleset and select the old 20231220-12 ruleset for the new profile we are creating. Then assign the profile to extibns.techblue.net.
Task 6: Managing Rule Categories
extibns.techblue.net is an authoritative-only DNS server. Certain Rule Categories are not required. Disable the following rule categories:
DNS Maleware
DNS DDoS
DNS Tunneling
Task 7: Tuning Default Rules in the External - Tuned Profile
The values used in this task are specific to the lab, and do not reflect the values you should use in a production environment
You will tune three rules to suit your current lab environment, these rules are to protect against TCP and UDP flood attacks.
Tune the rule ID 130000100 (WARN about high rate inbound UDP DNS queries) as follows:
Log Severity: Warning
Packets per second: 250
Enable the rule
Tune the rule ID 130000200 (WARN & BLOCK about high rate inbound UDP DNS queries) as follows:
Log Severity: Critical
Packets per second: 500
Enable the rule
Tune the rule ID 100000100 (EARLY PASS UDP response traffic) as follows:
Log Severity: Critical
Packets per second: 15000
Task 8: Testing the new Configuration
You will test the External Tune Profile which contains the modified rules.
A monitoring tool called bmon is installed on the Support-Server, Use it to monitor eth2 interface.
The queryperf tool is used to send DNS queries to the extibns.techblue.net DNS server at the rate you specify.
Test out both 13000100 and 13000200 by setting the query rate in queryperf to 350 at first then 600.
monitor eth2 interface health using bmon.
Use NIOS syslogs and Dashboards to verify your observations.
Disable Monitor Mode on NIOS-4 (extibns.techblue.net).
Repeat your tests again with the same queryrates 350 then 600 and observe the difference in eth2 interface health.
Use NIOS syslogs and Dashboards to verify your observations.
Solutions
Task 1 Solution: Verifying the lab state
Verify that extibns.techblue.net has all the required licenses:
Navigate to Grid → Licenses, and check which licenses are applied to extibns.techblue.net.
If ADP licenses are missing, click the + button and add the license file. The license file should be under Shared Drive/licenses/ named ADP.lic. Click Save License(s) to apply the selected file.
Before you continue, make sure ADP licenses are added to the grid on the licenses list.
Task 2 Solution: Setting up the Reporting Server
Navigate to Reporting, Click on the Continue to app setup page.
Use the information from this table to set up the reporting server:
Configuration | Value |
Username | training |
Password | infoblox |
Protocol | SCP |
Host/ IP Address | 10.100.0.205 |
Port | 22 |
Path | /home/training/Documents/ReportingData |
Task 3 Solution: Identifying Outliers
In this task, use the Reporting Server dashboards to identify noisy clients. You will observe QPS (Query Rate Per Second) for the past 1-2 hours.
Navigate to Reporting → Dashboards.
Select the DNS Top Clients dashboard and observe that there are four clients with significantly higher numbers of queries than the majority of clients.
The Client IP addresses are 198.51.100.121, 198.51.100.122, 192.88.99.231 and 192.0.2.2. These hosts require further investigation.
The investigation establishes that:
Hosts 192.0.2.2 and 192.88.99.231 belong to local companies our organization does business with. The hosts are using NAT, and there are a large number of clients behind those two IP addresses, accessing our services. As a result, we expect these hosts to make a higher-than-average number of queries.
Hosts 198.51.100.121 and 198.51.100.122 are the local ISP’s caching servers. They provide services to both home and business broadband users. As a result, they are also expected to make a higher-than-average number of queries.
Task 4 Solution: Establishing a Baseline
In this task, you establish a baseline. You need to establish what the normal rate of DNS queries per second is, to be able to tune ADP accordingly.
Navigate to Reporting → Home Dashboard
Click on the Hourly Grid-wide QPS widget. Alternatively, you can select the DNS Query Rate By Member dashboard using the search bar under the Dashboards tab.
In a production environment, you would use the DNS Daily Peak Hour Query rate by Member dashboard to determine peak values when establishing a baseline, however in the lab environment you do not have enough simulated data to obtain this report.
The graph shows us the trend for our DNS Queries Per Second. We are now in a position to say that our normal QPS is approximately 6.5 queries per second.
As this is a lab environment this is a very low value, Infoblox DNS servers can easily handle thousands of queries per second.
For the purposes of this lab and testing, we will use higher values so you can see what happens when rules are triggered.
If you are unsure on how your production ADP protected DNS appliances should be tuned, we recommend engaging Infoblox Professional Services.
Task 5 Solution: Creating a Profile for Tuned Rulesets
In this task, you create an additional ADP profile called External - Tuned, and assign the profile to extibns.techblue.net.
Navigate to Data Management → Security → Profiles.
Click the Add button to create a new profile, use External - Tuned as the name.
Override the Active Ruleset and select the old 20231220-12 ruleset for the new profile we are creating, then Save & Close.
Select the checkbox for the new profile we created, External - Tuned, and click Edit.
Navigate to the Member Assignment tab.
Assign the profile to extibns.techblue.net by clicking + sign on the right-hand side, and click Save & Close.
Do NOT click Publish yet. We will have more changes to make before we publish this change.
Task 6 Solution: Managing Rule Categories
The new External - Tuned profile is used to customize the Threat Protection services provided by extibns.techblue.net. Grid member extibns.techblue.net is an authoritative-only DNS server. Certain Rule Categories are not required, because the server only responds to DNS queries. No DNS traffic is recursed/passed through the server. Disabling categories and rules prevents the ADP engine from having to interrogate against rules that aren’t applicable. For this reason, we will be disabling the following rule categories:
DNS Malware
DNS DDoS
DNS Tunneling
In this task, we check the status of each category listed. If the category is enabled, then disable it.
Navigate to Data Management → Security → Profiles. Click on the link to the External - Tuned profile.
Scroll down to the DNS Malware Category. Click the arrow to view the rules in the category. You can see that the rules are enabled.
Click the hamburger icon for DNS Malware category and select the Disable all Rules in Category option.
Click Yes to proceed.
Disable the DNS DDoS and DNS Tunneling categories in the profile by repeating the same steps for each of them. Publish the changes when finished.
Task 7 Solution: Tuning Default Rules in the External - Tuned Profile
The values used in this task are specific to the lab, and do not reflect the values you should use in a production environment
In this task, you will tune three rules (130000100, 130000200, 100000100) to suit your current lab environment. These rules are intended to protect against TCP and UDP flood attacks.
TCP and UDP flood attacks are volumetric attacks with massive numbers of packets that consume network bandwidth and resources. They exploit TCP and UDP.
Navigate to Data Management → Security → Profiles.
Click Show filter, choose Rule ID as the filter equals as the operator and the rule ID 130000100 in the last field, and click Apply.
Check the Rule and click Edit.
Select the Settings tab and click Override.
Change the Log Severity level to Warning.
Change the Packets per Second value to 250 and Click Save & Close.
Click the hamburger icon next to the rule and select Disable, this will toggle the disable option on.
Now, repeat the steps above to modify Rule ID 130000200, but use the settings listed in Task 7 above. The setting steps follow:
Change the Log Severity to Critical.
Change the Packets per second value to 500.
Click the hamburger icon next to the rule and select Disable to enable the rule.
Again, repeat the steps above to modify Rule ID 100000100, using the settings listed in Task 7 above. The setting steps follow:
Change the Log Severity to Critical.
Change the Packets per second value to 15000.
This rule should already be enabled.
Publish the changes when you’re done.
Task 8 Solution: Testing the new Configuration
In this task, you test the External Tune Profile which contains the modified rules.
A monitoring tool called bmon is installed on the support-server. The bmon tool is used to monitor traffic on the 203.0.113.0 network. The extibns.techblue.net Grid member receives DNS queries on this network.
The queryperf tool is used to send DNS queries to the extibns.techblue.net DNS server at the rate you specify.
To start testing, Login to the Support-Server VM (training/infoblox)
Open a terminal and run the bmon tool. Expand the terminal window to see the colored chart below.
Press the down arrow key on your keyboard to select the eth2 interface.
This indicates you are monitoring traffic on the eth2 interface. This interface is connected to the 203.0.113.0 network.
Open another terminal window.
Type the command queryperf.
Enter a QPS value of 350.
The value should be between the QPS setting for Rule ID 130000100 (250), and the QPS setting for Rule ID 130000200 (500).
The Bmon window should show the spike of RX (Recieved) traffic.
On the Infoblox NIOS UI, You should also be able to see syslog WARN alerts, indicating that 203.0.113.254 is sending too many UDP packets. It could be a volumetric attack. Rule 130000100 is triggered.
Run the queryperf command again.
Enter value of 600 QPS. The value should be larger than the QPS setting for Rule ID 130000200 (500).
This time you should see syslog DROP alerts indicating that 203.0.113.254 is sending too many UDP packets. Rule 130000200 is triggered. As we are still in monitor-mode, the packets won’t actually be dropped. You will see both rules (130000100 and 130000200) triggered in syslog.
We will now disable monitor-mode.
Login to NIOS-4 VM (admin/infoblox)
Issue the set adp monitor-mode off command.
Issue the show adp monitor-mode command. You should see that monitor mode is enabled, but the Threat Protection service is disabled.
We will repeat the same test using qureyperf.
Set the query rate to 350. We will still see Threat Protection warnings.
Set the rate to 600, which is higher than the threshold for the 130000200 rule. Packets will start to drop. The bmon window will start to show RX (receive) traffic spikes, then drop for 5 seconds, spike again until the queryperf tool completes.
Syslog will also show the packets are now dropped. The action value is changed to DROP.
We can also see that 203.0.113.254 is one of the Top 10 clients, under the Threat Protection Status for Grid widget.
