Although the Internet is an information-rich environment, it is not always convenient to provide free access to network users. Companies that handle sensitive information do not want their data to leave the company at the hands of malicious developers. It is highly recommended to consider specific DNS settings to avoid these problems.
This article will guide you through setting up a Blacklist of domains that will not be resolved by Infoblox DNS.
To start the configuration, let’s go to Infoblox.
Connected to the Grid Manager, navigate to Data Management> DNS> Blacklist Rulesets
Within the Blacklist Rulesets tab, locate and click the Add button (highlighted below):
Name the rule set. In our example, we use the name Social Networks. Click Save & Close at the end.
The list must be updated with the new item created.
Let’s add two more rule sets: Email and Streaming by following the same steps above:
The configuration of the domains to be blocked must be done using a CSV file compatible with Infoblox. To do this, simply create a CSV file in Excel or any other text file editor with the following columns:
An example of this filled list is shown below.
Note: The domains provided above are for reference only. A list with a larger number of domains (and their variations) must be provided to increase the coverage of the configuration.
After creating and saving the file as CSV, we will need to import it into Infoblox. Back to the console, locate and click the CSV Import button (highlighted below).
In the screen that appears, select the “Add” option and click Next.
In the following screen, select the file created in the previous steps and click Next again.
The next screen will validate the contents of the file and display the first 6 rows of data. Make sure the speakers are perfectly aligned. If something is strange, change the tab until the contents of the file look similar to the one shown below. Click Import to proceed.
Infoblox will ask if you really want to proceed with the operation and inform that it can not be undone. Click Yes to accept and proceed.
The import process will be displayed on the next screen. Make sure all rows have been processed and that there were no errors during import. Click close if everything is ok.
Back to the Blacklist Rulesets menu, click on one of them to check its contents.
Now that the rules are set up, we need to enable the feature. Locate and click the “Grid DNS Properties” button on the console.
In the screen that appears, click Toogle Advanced Mode to enable the advanced Infoblox DNS configuration menus.
On the screen that appears, click Blacklist.
To enable the service, click on “Enable Domain Name Blacklist”.
In Blacklist Rulesets, use the “Add” button (highlighted below) to add all the rule sets we created in the previous steps.
Then select what Infoblox should return to the client that issues a query to a domain that is on one of the Blacklists:
You can:
Send a “REFUSED” response to the client.
Provide an IP of another server as a response. *
Note: Do not confuse the item with forwarding because the provided IP will not process the DNS request to resolve the client query.
Let’s use the second option above, pointing in the IP Addresses of a web server with an informative page for the user.
In Blacklist TTL, we specify the time of one minute, this time in which the address will remain in the cache of the local machine that obtains the response of Infoblox.
Finally, enable the “Log queries for blacklisted domain names” option. This option will log queries to blacklisted domains in the Infoblox appliance Syslog.
Click Save & Close after the settings are finished.
Back to the previous screen, click Restart at the top of the screen.
Note: Failure to restart the service will cause the configuration to not be applied.
Now, to test the settings made on a user machine, it is necessary that Infoblox be the DNS configured in the interface of the machine or that the server configured in it to forward recursive queries to Infoblox. This way it will be able to identify this query and respond according to the settings made.
On a machine within these two scenarios, we’ll try to access the UOL e-mail access site. See the response displayed by the browser.
Let’s use DiG to check what response is being provided by DNS.
To check the queries being blocked by Infoblox, navigate to Administration> Logs> Syslog.
The log will provide the domain that was blocked, in which ruleset it is configured, and the IP of the client it attempted to access. The image below displays the member log we configured.
Tip: Use a filter with the word “Intercept” to display only the lines with the intercepts made by Infoblox.
As we saw above, it is not difficult to configure this type of feature in Infoblox. However, the security of an environment and the information that flows through it can not be left in the hands of a single solution. It should be augmented by a set of other small practices that, together, will keep the business information of the corporation safe. Until the next article.