![]() ![]() Whether you modify your existing name server group to use standard zone transfers is up to you, but I prefer to create a second name server group and use that for the RPZ – this is so that any changes do not affect any other zones hosted on the servers. So RPZ by its very nature uses standard zone transfers rather than the proprietary grid replication mechanism that Infoblox supports. It makes sense when you think about it – RPZ would normally be used to obtain a feed of malicious domains from the Infoblox threatstop service, and it does this using the standard DNS zone transfer mechanism (because threatstop is used by many people, not just Infoblox customers). What is happening is that the RPZ is being configured to use grid replication, but RPZ does not support it. Steps 4 and 5 of the wizard can be skipped, so if we just use our default name server group and select “Save & Close”, we get an error: However this is where the Infoblox documentation is not very clear. This is perfectly normal and may echo what you use to replicate your internal DNS zones. In our example we have a primary name server and two secondary name servers that are configured in a default name server group to use grid replication. In step 3 we identify the name servers that are going to host the RPZ. The severity is used for logging, this is the level used by syslog so we set this to “Informational” as the log entries are not critical in our opinion. We are not going to do anything with the queries at this level so we set Policy Override to None. So in our example we call it “rpz.local”. Infoblox DNS Firewall has the ability to take a feed of suspicious domains and block them for security purposes, but in this example we are not going to use that feature, we just need to add a local response policy zone, so for step 1 of the wizard we just select “Add Local Response Policy Zone”.įor step 2 of the wizard we give the RPZ a name that identifies the zone as a local one, the name does have to comply with DNS naming conventions as it forms part of the FQDN that DNS uses to load the zone – just think of it as a zone file containing various entries, like any other zone. This initiates the Add Response Policy Zone Wizard. The first thing to do is define the RPZ zone – click on Data Management->DNS->Response Policy Zone and click the “+” button: ![]() We are going to run through an example using some Infoblox systems in our lab. You can use the “set temp_license” command from the command line and select option 13 to get a 60 day license if you want to try it. Unfortunately the Infoblox admin guide is not particularly clear about how to implement it, hence the reason for this article!įirst make sure you have an RPZ license installed on every Infoblox member that is going to be re-writing the queries. There are many articles about how to configure RPZ in BIND, but we are primarily interested in how to do this on Infoblox using the DNS Firewall feature.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |