Document toolboxDocument toolbox

About Blacklists

Owned by Aliaksei Shautsou (Deactivated)
Last updated: Jun 17, 2022 by Ryan Kulek (Deactivated)
8 min read

Your organization can prevent customers or employees from accessing certain Internet resources, particularly web sites, by prohibiting a recursive DNS member from resolving queries for domain names that you specify.
You can create blacklist rules that specify how a DNS member responds to recursive queries for data for which it is not authoritative. Each rule specifies a domain name and the action of the DNS member when the domain name in the query matches that in the rule. Instead of resolving the query, the DNS member can redirect the DNS client to predefined IP addresses or return a REFUSED response code indicating that resolution is not performed because of local policy.
When the DNS member receives a query for data for which it is not authoritative, it first tries to match the domain name in the query with a domain name in any of its rules. If it finds a match, it responds according to the action specified in the rule. If it does not find a match and the NXDOMAIN feature is enabled, the DNS member checks the NXDOMAIN rulesets for a match and responds accordingly. If the NXDOMAIN feature is not enabled, the DNS member resolves the query. (For information about the NXDOMAIN feature, see About NXDOMAIN Redirection.
Infoblox DNS members can modify their responses to queries for A records only. Therefore, if the matched query is for a record other than an A record, including a query with a type of "ANY", the DNS member sends a REFUSED response if the matched rule has an action of "Redirect".
In Figure 17.1, a DNS client opens a web browser and tries to access xxx.domain.com. When the DNS member receives the query for xxx.domain.com, it checks its blacklist rulesets and finds xxx.domain.com in a rule with an action of "Redirect". The DNS client is redirected to the configured redirection destination IP address 10.1.2.3.

Figure 17.1 Blacklist


 

This feature supports queries for data in IPv4 and IPv6 reverse-mapping zones, as well as forward-mapping zones. Note that when a user with a Windows DNS client with IPv6 installed tries to access a domain name, the Windows client sends queries for AAAA records before queries for A records. After the DNS member sends a Refused response to the query for the AAAA record, the DNS client then sends a query for the A record. The DNS member then responds according to the blacklist rules.
When DNSSEC is enabled on the Infoblox DNS server, it does not redirect DNS clients that request DNSSEC data. (For information about DNSSEC, see Chapter 22, DNSSEC.) If DNSSEC is not enabled and the query includes a request for DNS data, the appliance ignores the request for DNSSEC data and redirects the clients.
To apply the configured DNS blacklist rules regardless of whether a DNS query requests DNSSEC data, configure the appliance accordingly. For more information about how to configure this, see Applying Policies and Rules to DNSQueries that Request DNSSEC Data.
You can enable the blacklist feature at the Grid, member, and DNS view levels. Note that only recursive DNS servers can support this feature. For information on enabling recursion on a DNS member, seeEnabling Recursive Queries.


AboutBlacklistRule sets
A blacklist ruleset is a list of rules that a DNS member uses to determine its response to recursive queries for certain domain names. When you enable the blacklist feature, you must define at least one rule in a ruleset. Each rule consists of a domain name and an associated action. The DNS member matches the domain names in the rules with the entire domain name in the query, including its suffix. The domain name in the rule can contain any printable character. Domain name matching is case-insensitive. Unlike the NXDOMAIN rules, blacklist rules do not support metacharacters in domain names.
The action in a rule is either "Pass" or "Redirect".

    • Pass: The DNS member resolves the query and forwards the response to the DNS client.
    • Redirect: The DNS member does not resolve the query. The DNS member redirects the client to the predefined IP addresses or sends a REFUSED response, depending on your configuration. Note that the DNS member can redirect the client only if the query is for an A record. If the query is for another resource record, the DNS member sends a REFUSED response.

You can use the Blacklist wizard, described in Adding a Blacklist Ruleset, to add blacklist rulesets, but not rules. You can only add rules by importing them in a CSV file, as described in About CSV Import. Note that if a blacklist ruleset contains duplicate domain names, the DNS member loads the first rule in the ruleset and discards the other rules.

The following example illustrates how the DNS member applies blacklist rules. Ruleset 1:

Pattern

Action

a1.foo.com

PASS

foo.com

REDIRECT/BLOCK

  • If the DNS member receives a recursive query for a1.foo.com, it resolves the query and forwards the response to the client.
  • If the DNS member receives a recursive query for the A record of b1.foo.com, it redirects the DNS client to the specified IP address. If the query is for another record type, such as an MX record, the member sends a REFUSED response to the client.

Blacklist Guidelines

The following summarizes how a DNS member responds to a DNS client when the blacklist feature is enabled:

  • If the domain name in the query matches a domain name in a rule, the member does the following:
    • If the query is for an A record, the member performs the action specified in the rule.
      • If the action is "Redirect", the member performs the action specified in the Blacklist wizard.
        • If the action in the wizard is to redirect, the DNS member redirects the client to the listed IP addresses.
        • If the action in the wizard is to return a REFUSED response, the DNS member sends a REFUSED response to the DNS client.
      • If the action in the rule is" Pass", the DNS member resolves the query and forwards the response to the DNS client.
    • If the query is for a non-A record, the member performs the action in the rule as follows:
      • If the action is "Redirect", the DNS member returns a REFUSED response to the DNS client.
      • If the action is "Pass", the DNS member resolves the query and forwards the response to the DNS client.
  • If the domain name in the query does not match a domain name in a rule:
    • If the NXDOMAIN feature is enabled, the DNS member tries to find a match with the NXDOMAIN rules and responds accordingly.
    • If the NXDOMAIN feature is disabled, the DNS member resolves the query and forwards the response to the DNS client.

Note that if an A record with a dotted hostname is added to an authoritative zone through a dynamic DNS update, and that A record should actually belong in an existing delegation, the appliance may not redirect a query for that A record according to the Blacklist and NXDOMAIN guidelines.

Configuring the Blacklist Feature

To configure the blacklist feature:

  1. Add blacklist rulesets, as described in Adding a Blacklist Ruleset.
  2. Create one or more CSV files that contain the rules for each ruleset and import the files to the Grid. For information about importing CSV files, see About CSV Import.
  3. Enable blacklisting, as described in Enabling Blacklisting.

Adding a Blacklist Ruleset

To add the name of a blacklist ruleset:

  1. From the Data Management tab -> DNS tab -> Blacklist Rulesets tab, click the Add icon.
  2. In the Blacklist wizard, complete the following:
    • Name: Enter a name for the ruleset.
    • Comment: You can enter additional information.
    • Disable: You can disable this ruleset for use later on. The appliance ignores disabled rulesets.
  3. Save the configuration and click Restart if it appears at the top of the screen. You can then use the CSV Import feature to import the rules for each ruleset.

Managing Blacklist Rulesets

To view rulesets, navigate to the Data Management tab -> DNS tab -> Blacklist Rulesets tab. The panel lists the configured rulesets and their associated comments. You can also display the Disabled column which indicates which rulesets are disabled. From this panel, you can do the following:

  • Add more rulesets, as described in the preceding section, Adding a Blacklist Ruleset.
  • Edit a ruleset, by clicking its check box and clicking the Edit icon. You can set the following in the Blacklist Ruleset editor:
    • In the General Basic tab, you can change entries in any of the fields.
    • In the Permissionstab, you can set admin permissions for the ruleset.
  • Delete a ruleset, by clicking its check box and clicking the Delete icon.
  • View the rules that were imported in each ruleset by selecting it. For each rule, the panel displays the following:
    • Domain name
    • The action of the recursive DNS member when the domain name in a query matches the domain name in the rule.

To delete or edit rules in a ruleset, you must delete the ruleset from this panel, edit the CSV file and re-import it.

Enabling Blacklisting

Only DNS members with recursion enabled can support this feature. You can enable this feature at the Grid level and override it for a member or DNS view with recursion enabled.
You can also enable the DNS member to log queries that matched blacklist rules. The logs include the queried domain name, source IP address, the pattern of the matched rule, and the name of the corresponding ruleset.
To enable blacklisting:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon.
    DNS View: From the Data Management tab, select the DNS tab and click the Zones tab -> dns_view check box -> Edit icon.
    To override an inherited property, click Override next to it and complete the appropriate fields.
  2. If the Grid DNS Properties or Member DNS Properties editor is in basic mode, click Toggle Advanced Mode.
  3. Click Blacklist and complete the following:
    Enable Domain Name Blacklist: Select this check box.
    Blacklist Rulesets: To add a ruleset, click the Add icon. If there are multiple rulesets, select one from the Select Ruleset dialog box. Use the up and down arrows to move rulesets up and down in the list. The appliance applies rulesets in the order they are listed.
    For blacklisted domain names, return: Select the action of the appliance when it receives a query for a record that matches a rule with an action of Redirect/Block.
    If you selected This list of IP addresses, add an IP address to the Redirect to table by clicking the Add icon and entering the address. The addresses are listed in round robin fashion in the synthesized response of the DNS member. You can enter up to 12 IP addresses.
    Blacklist TTL: Specify how long the DNS client caches the A record with the redirected IP address.
    Log queries for blacklisted domain names: Select this option to enable the appliance to log queries for blacklisted domain names, including the source IP address of the query.
  4. Save the configuration and click Restart if it appears at the top of the screen.