Versions Compared

Old Version 1

changes.mady.by.user Shwetha S

Saved on

compared with

New Version Current

changes.mady.by.user Shwetha S

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Infoblox introduces the Infoblox Threat Intelligence Feed, a threat feed subscription for RPZ updates that offer protection against malicious hostnames. Contact your Infoblox representative for pricing and availability information.
For information about the old RPZ feeds, refer to the NIOS earlier NIOS Administrator Guides.
You can configure the Threat Intelligence Feed and receive reputation RPZ updates on a regular basis. An RPZ feed receives response policies from the Infoblox in-house threat intelligence team, which produces reputation RPZ data and transfers the data to Grid name servers through zone transfers with or without a TSIG key. To ensure proper authentication and integrity of the RPZ feed zone transfers, using a TSIG key is recommended.

...

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then click the Add icon.
  2. When you click the Add icon, either the Add Response Policy Zone Wizard or the Add DNS View wizard is displayed based on the following:
    • When you click the Add icon, the Add Response Policy Zone Wizard is displayed, if you have not created additional DNS views and only have the default view.
    • If you have configured multiple DNS views, you must drill-down to the corresponding DNS_View to assign an RPZ feed. Click the Add icon and the Add Response Policy Zone Wizard is displayed. To create a new DNS view for your RPZ feed, click the Add icon and complete the details in the Add DNS View wizard. For information about adding and modifying a DNS View, see Configuration Example: Configuring a DNS View.
  3. In the Add Response Policy Zone Wizard, select Add Response Policy Zone Feed, click Next and specify the following:
    • Name: Enter the name of the Infoblox RPZ feed. It can be a combination of alphanumeric characters. You can enter up to 256 characters. For more information, see Infoblox Threat Intelligence Feeds below.
    • DNS View: The name of the view that you have selected is displayed by default. You can select a view from the drop-down list to associate it with the RPZ feed.
    • Policy Override: Select a value from the drop-down list. You can override the policy actions that are specified in the rule level.

    • Log Only (Disabled) – Select this if you want to disable an RPZ rewrite using rules in the RPZ zone. If the response to the recursive query matches any RPZ rule, the rule is logged, but the response will not be altered. You cannot overwrite the response to the user. Note that this option will not override RPZ rules in other RPZ zones, if they take precedence.

      Note that when you select the Log Only option, the RPZ related reports are not updated even though the information is logged to the syslog.

      • None (Given) – Select this if you want to use the policy from the rule level.
      • Block (No Data) – Select this if you want the user to receive a response that indicates that there is no data.
      • Block (No Such Domain) – Select this if you want the user to receive a NXDOMAIN as the DNS response. All the policy actions in an RPZ are replaced with a NXDOMAIN block.
      • Passthru – Select this if you want the user to see the actual response without modification. All the policy actions in an RPZ are replaced with the passthru action.
      • Substitute (Domain Name) – Select this if you want to replace all the policy actions in an RPZ with the substitution action that is specified.
        • Domain Name: This appears only when you select Substitute (Domain Name) from the Policy Override list. Enter the domain name that you want the client to receive instead of the actual domain name, which is malicious or unauthorized.
    • Severity: Select the threat severity level for the RPZ zone. The threat severity you select here determines the severity for the RPZ rule. Select Critical, Major, Warning, or Informational. The default threat severity level is Major. Note that each of these levels is represented by a number in the syslog (8 being Critical and 4 being Informational). When you upgrade to NIOS 7.0.0, the appliance automatically updates the threat severity level to Informational (displayed as 4 in the syslog) for existing RPZ zones. For information about viewing RPZ in the syslog
      and severity levels, see Verifying RPZ Configuration.
    • Comment: Optionally, enter additional information about the Infoblox RPZ feed.
    • Disable: Select the checkbox to disable the RPZ feed without deleting its configuration. Clear the checkbox to enable the RPZ feed. For information, see Enabling and Disabling Zones. Note that disabling an RPZ feed may take a longer time to complete depending on the size of the data.
    • Lock: Select the checkbox to lock the RPZ feed so that you can make changes to it and prevent others from making conflicting changes. For information about Locking and Unlocking RPZs, see Managing RPZs.
  4. Click Next to associate the RPZ feed with at least one external primary name server and a secondary name server:
    • Define name servers for the RPZ feed. An RPZ feed must have at least one RPZ source as an external primary name server and at least one Grid secondary name server. For external primary servers, specify the following:
      • Name: Enter the zone name of the primary name server.
      • Address: Enter the name server IP address provided by Infoblox for the RPZ feed.
      • Use TSIG: Select the checkbox to specify TSIG settings.
      • Key Name: Enter the TSIG Key Name provided by Infoblox.
      • Key Algorithm: Select hmac-md5.
      • Key Data: Enter the TSIG string provided by Infoblox.
        Note that either the Grid name server or the DNS view must be recursive for the RPZ feed. You can associate a lead secondary with an RPZ feed. For information on specifying primary and secondary, see Assigning Zone Authority to Name ServersWhen you select All Recursive Name Servers from the list, all the recursive name servers in the Grid are added as secondary servers for the zone. For information about how to configure a local RPZ, or RPZ feed, or FireEye RPZ for all recursive servers, see Configuring RPZs for All Recursive Servers. For information on specifying name server groups, see Using Name Server Groups.
  5. Save the configuration and click Next to define extensible attributes. Click Restart if it appears at the top of the screen. For information, see Managing Extensible Attributes.

...