/
Blocking public DoH servers with NIOS
Document toolboxDocument toolbox

Blocking public DoH servers with NIOS

Owned by Shirly Tsang
Jun 19, 2024
6 min read

This section of the guide covers how to block public DoH servers with NIOS. Blocking Public DoH feeds on NIOS requires the configuration of a Distribution server on BloxOne, adding NIOS members to BloxOne, and the creation of an RPZ in NIOS.

Alternatively, if you have the appropriate BloxOne licenses, blocking public DoH servers can be accomplished via the DNS Forwarding Proxy and a BloxOne Security Policy that includes the Public_DOH and Public_DOH_IP feeds. A guide on how to configure the DNS Forwarding proxy can be viewed here.

License and Configuration Requirements 

To deploy remote RPZ feeds, you will need a Grid member with at least a DNS and RPZ license. 

To obtain the feeds, your member will need access to our Threat Intelligence Feed servers on port 53 (UDP and TCP) as the feed data is transferred through a DNS zone transfer. Your server will also need to be able to perform recursion to obtain a response from the Internet. 

To review log hits, you need to enable on the member or grid level the RPZ logging category (grid settings, toggle advanced, logging, check RPZ)

Configuring NIOS to download the DoH feed

Navigate to Policies On-Prem DNS Firewall to configure the On-Prem DNS Firewall service. Complete the four-step process to configure your On-Prem DNS Firewall settings. Please note, downloading the Infoblox Threat Intelligence Feed Deployment Guide is Step 1 of the process. Once you have reviewed the guide, please proceed to Step 2 to begin the configuration process.

  1. Click Download Deployment Guide. Read through the guide thoroughly before proceeding to the next step where you will configure your NIOS feeds.

  2. Feed Configuration

Click Feed Configuration Values to configure the NIOS feed values with the provided feed addresses based on your subscription. Copy these values to a text editor as you require them later for NIOS configuration. Please note, the record count associated with a feed is published along with the feed’s description. Once completed, click Close and proceed to Step 3. 

 

  1. Distribution Server Configuration Values

Click Distribution Server Configuration Values to configure your distribution servers. Both IPv4 and IPv6 IP addresses may be used to serve your feeds, depending on your specific requirements. TSIG Key encryption algorithms supported include HMAC MD5 512-bit and HMAC 256 256-bit. Please be aware; it may take up to one hour before your newly created TSIG keys become active. 

  • To set up how your feeds are distributed, complete the following steps: 

  • On the Distribution Server Details screen, for BLOXONE HITS RPZ FEED, toggle the switch to Enable to add the option of a custom RPZ feed to the feed distribution. When enabling the custom RPZ feed, specify the maximum number of feed indicators the custom RPZ feed will return along with and an expiration date for the indicators. 

  • Select either the IPv4 or IPv6 IP options for both the US West Distribution and the East Distribution Servers. 

  • Copy and save your selected IP addresses. You will need them later when configuring NIOS. 

  • Select a TSIG Key algorithm from among the drop-down menu choices. Algorithm choices include HMAC MD5 512-bit and HMAC 256 256-bit. Once you have made your selection, click Generate to generate a new TSIG key. 

  • Copy and save the Key Name and TSIG Key.

  • Once completed, click Close and proceed to Step 4.

  1.  Configuring Threat Feed Retrieval Members 

Click Configure Members to configure your list of threat retrieval members. You can add and remove members as suits your needs. To add a threat retrieval member, complete the following steps: 

  • Click Add. A new row will populate at the bottom of the list. 

  • Select the new row by selecting the box next to it. 

  • In the NAME field, add a name for the member you are adding. 

  • In the IP ADDRESS field, add the IP address you want to use for the new member. 

  • Once you have finished adding members, you can remove any members you will not be using. 

To remove a threat retrieval member, complete the following steps: 

  • Select the configured member you want to remove by selecting the box next to it. 

  • Click Remove

Once you have configured your threat retrieval members, click Save & Close

This completes the Cloud Services Portal, On-Prem DNS Firewall portion for the setup and configuration of Infoblox Threat Intelligence feeds. Please proceed to the next page to configure NIOS. 

Adding RPZ Feeds to NIOS

In NIOS navigate to: “Data Management” → DNS → “Response Policy Zones” Press the + button or use “Add” in the sidebar. 

  1. Select ‘Add a Response Policy Zone Feed’ then press Next.

  1. Add the feed you want to use. In the case of DoH feeds, choose Public_DOH and Public_DOH_IP.

Note that each feed is a subset of the data, and deploying multiple feeds is required to cover all bases. You will have to repeat these steps for each RPZ. 

  • Leave Policy override on “None (Given)” for now. For the other policy override settings, please refer to the Admin Guide. 

  • Modify logging Severity if needed 

  • Press next 

 

  1. Add the External Primary 

Use the drop-down next to the “+” sign to select External Primary 

  1. Define the External Primary’s settings 

Refer to the portal for the values from your account. Select the nearest name server and use the values you copied from CSP during feed configuration. Note that the name field is only for reference purposes and you can use any name you choose to.

  1. Add a Grid Secondary 

  • Use “Select” to select which member(s) you want to add or use “All recursive servers” if you want to add all recursive nodes with an RPZ license. 

  • Note that you can configure a single secondary to be “Lead secondary.” If you set this up, that member will be the only one to reach out to the external primary. You will then redistribute the feed internally between your members through zone transfers. 

  • Press Add 

  • Press Save and Close, restart services as required (use the banner at the top) 

  • Give services 5 minutes to fetch the zone. If you refresh the GUI, you will see the last updated value for when the last transfer was successful.

Testing the Configuration 

  1. Navigate to the Data ManagementDNSResponse Policy Zones.

  2. Find the Public_DOH or Public_DOH_IP feed.

  3. Click on one of the feeds to export to a .csv file.

  4. Pick an entry from the .csv file.

  5. Run nslookup or dig against the member with the IP address or name.

  6. Check the syslog for security hits. You should see a CEF entry with the domain(s) you are testing. You can also refer to the security dashboard for graphed out results based on the last 30 minutes of traffic. 

Troubleshooting 

In case you are not getting a feed from our servers, verify the following: 

  • You used the correct feed name 

  • Your time is set correctly (ntp should be used) 

  • You use the right key name, TSIG key, and algorithm 

For further troubleshooting, check the syslog of your (lead) secondary for a message that includes “transfer.”

Related content