/
Custom Rule Templates
Document toolboxDocument toolbox

Custom Rule Templates

Owned by Ashish Khabde
May 15, 2019

Infoblox External DNS Security supports a few custom rule templates from which you can create new custom rules. Note that when you use a specific rule template to create custom rules, the new rules reside in their respective rule categories. For information about custom rules and creating custom rules, refer to the NIOS documentation at docs.infoblox.com.

When you enter FQDNs for any of the following rule templates, the appliance automatically verifies the FQDN syntax and format. It properly translates escaped sequences and specials characters that are used to represent specific characters in the FQDN. For example, \32 is interpreted as a space (hex 20), and \” is interpreted as the double quote (hex 22). The appliance sends an error message when it detects invalid characters in the FQDN.

For each rule you create, you can define the Events per second value to determine the number of events per second that will be logged for the rule. You can also define certain parameters for specific rules. For information about the parameters, see Overview of Packet Flow.

Note

Custom rules do not support IDNs (Internationalized Domain Names). To use IDNs for custom rules, you must first convert the IDNs into puny codes. You can use the IDN Converter from the Toolbar for the conversion.

  • BLACKLIST FQDN lookup TCP: Use this rule template to create custom rules for blacklisting DNS queries by FQDN lookups on TCP. In the Rule Parameters table, complete the following:
    • Blacklisted FQDN: Enter the FDQN that you want the appliance to block over TCP traffic. You can also enter a list of FQDNs using semicolon as the separator.
  • BLACKLIST FQDN lookup UDP: Use this rule template to create custom rules for blacklisting DNS queries by FQDN lookups on UDP. In the Rule Parameters table, complete the following:
    • Blacklisted FQDN: Enter the FDQN that you want the appliance to block over UDP traffic. You can also enter a list of FQDNs using semicolon as the separator.
  • BLACKLIST IP TCP Drop prior to rate limiting: Use this rule template to create rules for blocking IPv4 or IPv6 addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined using the RATELIMITED IP TCP template. In the Rule Parameters table, complete the following:
    • Blacklisted IP address/network: Enter the IPv4 or IPv6 address from which packets sent are dropped before any relevant rate limiting rules take effect. Note that all TCP traffic from the specified Ipv4 and IPv6 addresses and networks will be blocked. Enter network addresses in address/CIDR format.
  • BLACKLIST IP UDP Drop prior to rate limiting: Use this rule template to create rules for blocking IPv4 or IPv6 addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined using the RATELIMITED IP UDP template. In the Rule Parameters table, complete the following:
    • Blacklisted IP address/network: Enter the IPv4 or IPv6 address from which packets sent are dropped before any relevant rate limiting rules take effect. Note that all UDP traffic from the specified Ipv4 and IPv6 addresses and networks will be blocked. Enter network addresses in address/CIDR format.
  • RATELIMITED FQDN lookup UDP: Use this rule template to create custom rules that contains rate limiting restrictions for blocking DNS queries by FQDN lookups on UDP traffic. In the Rule Parameters table, complete the following:
    • Packets per second: Enter the number of packets per second to define the rate limit for this rule. You define this value to control the rate of UDP traffic that consists of DNS lookups for the FQDN defined in this rule. The default is 5.
    • Drop interval: Enter the number of seconds for which the appliance drops packets.
    • Blacklist rate limited FQDN: Enter the FQDN that is affected by the rate limit value configured for this rule. The appliance drops the packets sent by this FQDN when the UDP traffic of DNS lookups for this FQDN exceeds the configured rate limit value.
  • RATELIMITED IP TCP: Use this rule template to create custom rules that contains rate limiting restrictions for blacklisting IP addresses on TCP. If there are certain IP addresses that you want to block before its traffic reaches the rate limit restrictions, you can create a rule using the BLACKLIST IP TCP Drop prior to rate limiting template. In the Rule Parameters table, complete the following:
    • Packets per second: Enter the number of packets per second to define the rate limit for this rule. You define this value to control the rate of TCP traffic that consists of DNS lookups for the IP address or network defined in this rule. The default is 5.
    • Drop interval: Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IP address or network defined for this rule. The default is 30 seconds.

    • Rate limited IP address/network: Enter the IP address or network that is affected by the rate limit value configured for this rule. The appliance drops the packets sent by this IP address based on the drop interval when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value.

      Note

      If you specify a network, then the packet per second is applied to each IP address within a network, not for the entire network

  • RATELIMITED IP UDP: Use this rule template to create custom rules that contains rate limiting restrictions for blacklisting IP addresses on UDP. If there are certain IP addresses that you want to block before its traffic reaches the rate limit restrictions, you can create a rule using the BLACKLIST IP UDP Drop prior to rate limiting template. In the Rule Parameters table, complete the following:
    • Packets per second: Enter the number of packets per second to define the rate limit for this rule. You define this value to control the rate of UDP traffic that consists of DNS lookups for the IP address or network defined in this rule. The default is 5.
    • Drop interval: Enter the time interval in seconds the appliance drops IP packets sent by the rate limited IP address or network defined for this rule. The default is 30 seconds.

    • Rate limited IP address/network: Enter the IP address or network that is affected by the rate limit value configured for this rule. The appliance drops the packets sent by this IP address based on the drop interval when the TCP traffic of DNS lookups for this IP address exceeds the configured rate limit value.

      Note

      If you specify a network, then the packet per second is applied to each IP address within a network, not for the entire network.

  • WHITELIST IP TCP Pass prior to rate limiting: Use this rule template to create custom rules for allowing certain IP addresses on TCP before the appliance drops the packets based on rate limiting rules you have defined using the RATELIMITED IP TCP template. In the Rule Parameters table, complete the following:
    • Whitelisted IP address/network: Enter the IPv4 or IPv6 address from which packets sent are allowed before any relevant rate limiting rules take effect.
  • WHITELIST IP UDP Pass prior to rate limiting: Use this rule template to create custom rules for allowing certain IP addresses on UDP before the appliance drops the packets based on rate limiting rules you have defined using the RATELIMITED IP UDP template. In the Rule Parameters table, complete the following:
  • Whitelisted IP address/network: Enter the IPv4 or IPv6 address from which packets sent are allowed before any relevant rate limiting rules take effect.