Manual Chapter : Configuring DNS Response Policy Zones

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Configuring DNS Response Policy Zones

Overview: DNS response policy zones and the BIG-IP system

The BIG-IP system can utilize a domain name service (DNS) response policy zone (RPZ) as a firewall mechanism. An RPZ is a zone that contains a list of known malicious Internet domains. The list includes a resource record set (RRset) for each malicious domain. Each RRset includes the names of the malicious domain and any subdomains of the domain.
When the BIG-IP system receives a DNS query for a domain that is on the malicious domain list of the RPZ, the system responds in one of two ways based on your configuration. You can configure the system to return an NXDOMAIN record that indicates that the domain does not exist.
BIG-IP returns NXDOMAIN response to DNS query for malicious domain
Alternatively, you can configure the system to return the response that directs the user to a walled garden.
BIG-IP forwards DNS query for malicious domain to walled garden

About creating an RPZ using ZoneRunner

There are a number of vendors that host response policy zones (RPZs). The BIG-IP system supports RPZ vendors. F5 has tested the BIG-IP system with the vendors Spamhaus (
http://www.spamhaus.org/organization/dnsblusage/
) and SURBL (
http://www.surbl.org/df
). If you do not want to purchase a subscription from a vendor, you can use ZoneRunner on the BIG-IP system to create a custom RPZ.
ZoneRunner is available only with a BIG-IP DNS license.

Task summary

Creating a custom RPZ using ZoneRunner

Determine the host name and IP address of the BIG-IP system on which you are configuring the RPZ.
These steps can be performed only on a BIG-IP system that is licensed for BIG-IP DNS.
You can create your own RPZ when you do not want to subscribe to an RPZ vendor.
  1. On the Main tab, click
    DNS
    Zones
    ZoneRunner
    Zone List
    .
    The Zone List screen opens.
  2. Click
    Create
    .
    The New Zone screen opens.
  3. From the
    View Name
    list, select
    external
    .
    The external view is a default view to which you can assign zones.
  4. In the
    Zone Name
    field, type a name for the zone file.
    For example, to replicate the format of Spamhaus and SURBL DSN RPZ names, type
    rpz.myblacklist.org
  5. From the
    Zone Type
    list, select
    Master
    .
  6. Clear the
    Zone File Name
    field, and type the zone file name.
    db.external.rpz.blacklist.org
  7. In the
    Options
    field, add an also-notify statement to ensure that BIND notifies DNS Express when the zone is updated; for example:
    also-notify { ::1 port 5353; };
  8. In the SOA Record section, type values for the record fields:
    1. In the
      TTL
      field, type the default time-to-live (TTL) for the records in the zone.
    2. In the
      Master Server
      field, type the name of the BIG-IP DNS on which you are configuring this zone.
  9. In the NS Record section, type values for the record fields:
    1. In the
      TTL
      field, type the time-to-live (TTL) for the nameserver record.
    2. In the
      NameServer
      field, type the name of the BIG-IP DNS on which you are configuring this zone.
  10. Click
    Finished
    .
Add resource records that represent known malicious domains to your custom RPZ.

Adding resource records to a custom RPZ

Determine the names of the known malicious domain names that you want to include in your custom DNS response policy zone (RPZ).
These steps can be performed only on a BIG-IP system that is licensed for BIG-IP DNS.
For each malicious domain that you want to add your custom RPZ, create a resource record for the domain. Additionally, you can add a wildcard resource record to represent all subdomains of the malicious domain.
  1. On the Main tab, click
    DNS
    Zones
    ZoneRunner
    Zone List
    .
    The Zone List screen opens.
  2. Click the name of a custom RPZ to which you want to add malicious zone names.
    The Zone Properties screen opens.
  3. Click
    Add Resource Record
    .
    The New Resource Record screen opens.
  4. In the
    Name
    field, type the name of the malicious domain in front of the RPZ zone name that displays:
    [zone_name].rpz.myblacklist.org.
    .
    maliciouszone.com.rpz.myblacklist.org.
    for the domain name or
    *.maliciouszone.com.rpz.myblacklist.org.
    for the subdomains.
  5. In the
    TTL
    field, type the time-to-live (TTL) for the CNAME record.
  6. From the
    Type
    list, select
    CNAME
    .
  7. In the
    CNAME
    field, type
    .
  8. Click
    Finished
    .
  9. Create additional resource records for each malicious domain that you want to include in your customer RPZ. Remember to create a resource record for the domain and a resource record for the subdomains.
You can now implement your RPZ on the BIG-IP system or on an external name server.

About configuring the BIG-IP system to use an RPZ as a DNS firewall

With an RPZ configuration, the BIG-IP system filters DNS queries for domains that are known to be malicious and returns custom responses that direct those queries away from the malicious domain.

Task summary

Optional: Adding a TSIG key for the server that hosts the RPZ

Before adding a TSIG key for a DNS server that hosts an RPZ:
  • Ensure that the DNS server is configured to allow the BIG-IP system to perform zone transfers.
  • Ensure that the time on the systems that use TSIG keys are synchronized.
  • Obtain the TSIG key for each DNS server.
Add a TSIG key to the BIG-IP system configuration, when you want to validate zone transfer communications between DNS Express and a DNS server hosting an RPZ.
  1. On the Main tab, click
    DNS
    Delivery
    Keys
    TSIG Key List
    .
    The TSIG Key List screen opens.
  2. Click
    Create
    .
    The New TSIG Key screen opens.
  3. In the
    Name
    field, type the name of the TSIG key.
  4. From the Algorithm list, select the algorithm that was used to generate the key.
  5. In the
    Secret
    field, type the TSIG key secret.
  6. Click
    Finished
    .
Add the TSIG key to the DNS nameserver that represents the RPZ on the BIG-IP system.

Adding a nameserver object for the server that hosts the RPZ

Obtain the IP address of the authoritative DNS server that hosts the DNS response policy zone (RPZ).
When you want to transfer an RPZ from an authoritative DNS server into the DNS Express engine, add a nameserver object that represents the server that hosts the zone.
  1. On the Main tab, click
    DNS
    Delivery
    Nameservers
    .
    The Nameservers List screen opens.
  2. Click
    Create
    .
    The New Nameserver screen opens.
  3. In the
    Name
    field, type a name for the authoritative DNS server.
  4. In the
    Address
    field, type the IP address on which the DNS server listens for DNS messages.
    If the RPZ is hosted on BIND on the BIG-IP system, use the name
    localhost
    and the default
    Address
    127.0.0.1
    and
    Service Port
    53
    .
  5. From the
    TSIG Key
    list, select the TSIG key that matches the TSIG key on this DNS server.
    The BIG-IP system uses this TSIG key to sign zone transfer requests to the DNS server hosting the zone.
  6. Click
    Finished
    .
Create a DNS Express zone and add the nameserver object to the zone.

Creating an RPZ DNS Express zone

Before you create the DNS Express zone:
  • Ensure that the authoritative DNS server that currently hosts the DNS response policy zone (RPZ) is configured to allow zone transfers to the BIG-IP system.
  • Ensure a nameserver object that represents that authoritative DNS server exists in the BIG-IP system configuration.
  • Determine the name you want to use for the DNS Express zone. The zone name must match the zone name on the authoritative DNS server exactly.
    Zone names are case insensitive.
Create a DNS Express zone on the BIG-IP system when you want to transfer an RPZ into DNS Express.
  1. On the Main tab, click
    DNS
    Zones
    .
    The Zone List screen opens.
  2. Click
    Create
    .
    The New Zone screen opens.
  3. In the
    Name
    field, type the name of the DNS zone.
    The name must begin and end with a letter and contain only letters, numbers, and the period and hyphen (-) characters.
  4. In the DNS Express area, from the
    Server
    list, select the authoritative primary DNS server that currently hosts the zone.
    The DNS Express engine requests zone transfers from this server.
  5. Select the
    Response Policy
    check box.
  6. Click
    Finished
    .

Creating a DNS cache

Ensure that the global DNS settings are configured based on your network architecture.
Create a DNS cache on the BIG-IP system when you want to utilize an RPZ to protect your network from known malicious domains.
  1. On the Main tab, click
    DNS
    Caches
    Cache List
    .
    The DNS Cache List screen opens.
  2. Click
    Create
    .
    The New DNS Cache screen opens.
  3. In the
    Name
    field, type a name for the cache.
  4. From the
    Resolver Type
    list, select one of three types:
    Option
    Description
    Resolver
    Resolves a DNS request and stores the response in the DNS cache.
    Validating Resolver
    Resolves a DNS request, verifies the response using a DNSSEC key, and stores the response in the DNS cache.
    Transparent (None)
    Sends a DNS request to a DNS server for resolution, and stores the response in the DNS cache.
  5. Click
    Finished
    .

Adding a local zone to represent a walled garden

Ensure that a DNS cache with which you are implementing the RPZ is configured on the BIG-IP system.
Obtain the resource records for the walled garden zone on your network.
When you want the BIG-IP system to redirect DNS queries for known malicious domains to a specific domain, add a local zone that represents a walled garden on your network to the DNS cache you will use to implement an RPZ.
  1. On the Main tab, click
    DNS
    Caches
    Cache List
    .
    The DNS Cache List screen opens.
  2. Click the name of the cache you want to modify.
    The properties screen opens.
  3. On the menu bar, click
    Local Zones
    .
    The Local Zones screen opens.
  4. Click the
    Add
    button.
  5. In the
    Name
    field, type the domain name of the walled garden on your network.
    The domain you enter must be the exact name you want to use for the walled garden. Ensure that you use a zone name that does not match any other resources on your network, for example,
    walledgarden.siterequest.com
    .
  6. From the
    Type
    list, select
    Static
    .
  7. In the Records area, specify a resource record to identify the local zone, including domain name, type, class, TTL, and record data, separated by spaces, and then click
    Add
    .
    For example, if the local zone name is walledgarden.siterequest.com, then this is an example of an A record entry:
    walledgarden.siterequest.com. IN A 10.10.10.124
    , and this is an example of a AAAA record entry:
    walledgarden.siterequest.com. IN AAAA 2002:0:1:12:123:c:cd:cdf
    .
  8. Click
    Finished
    .

Adding an RPZ to a DNS cache

If you want the BIG-IP system to redirect DNS queries for known malicious domains to a specific location, ensure that you have associated a local zone that represents the RPZ with the DNS cache.
Add an RPZ to a DNS cache on the BIG-IP system when you want to protect your network from known malicious domains.
  1. On the Main tab, click
    DNS
    Caches
    Cache List
    .
    The DNS Cache List screen opens.
  2. Click the name of the cache you just created.
    The properties screen opens.
  3. On the menu bar, click
    Response Policy Zones
    .
    The Response Policy Zones screen opens.
  4. Click the
    Add
    button.
  5. From the
    Zone
    list, select an RPZ.
  6. From the
    Action
    list, select an action:
    Option
    Description
    NXDOMAIN
    Resolves a DNS query for a malicious domain found in the RPZ with an NXDOMAIN response, which states that the domain does not exist.
    walled-garden
    Resolves a DNS query for a malicious domain found in the RPZ by providing an A or AAAA record response, which redirects the query to a known host.
  7. If you selected the type Walled Garden, from the
    Walled Garden IP
    list, select the local zone that represents the walled garden on your network.
  8. Click
    Finished
    .

Staging the RPZ on your network

Ensure that a DNS cache configured with an RPZ exists on the system.
When you want to test how using an RPZ affects your network environment, modify the RPZ by enabling the
Logs and Stats Only
setting.
  1. On the Main tab, click
    DNS
    Caches
    Cache List
    .
    The DNS Cache List screen opens.
  2. Click the name of the cache you want to modify.
    The properties screen opens.
  3. On the menu bar, click
    Response Policy Zones
    .
    The Response Policy Zones screen opens.
  4. Click the name of the RPZ you want to modify.
  5. Select the
    Logs and Stats Only
    check box.
    When checked, queries that match a malicious domain in the RPZ list are logged and statistics are created; however, RPZ policies are not enforced. That is, when a DNS query matches a malicious domain in the RPZ list, the system does not return an NXDOMAIN response or redirect the query to a walled garden.
    System performance is affected even when
    Logs and Stats Only
    is selected. This is because the system still performs RPZ lookups.
  6. Click
    Finished
    .

Creating a custom DNS profile for DNS caching

Ensure that at least one DNS cache exists on the BIG-IP system.
You can create a custom DNS profile to configure the BIG-IP system to cache responses to DNS queries.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Services
    DNS
    .
    The DNS profile list screen opens.
  2. Click
    Create
    .
    The New DNS Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. In the General Properties area, from the
    Parent Profile
    list, accept the default
    dns
    profile.
  5. Select the
    Custom
    check box.
  6. In the DNS Features area, from the
    DNS Cache
    list, select
    Enabled
    .
    When you enable the
    DNS Cache
    option, you must also select a DNS cache from the
    DNS Cache Name
    list.
  7. In the DNS Features area, from the
    DNS Cache Name
    list, select the DNS cache that you want to associate with this profile.
    You can associate a DNS cache with a profile, even when the
    DNS Cache
    option, is
    Disabled
    .
  8. Click
    Finished
    .

Creating listeners to identify DNS queries

Create listeners to identify the DNS queries that DNS Express handles. When DNS Express is only answering DNS queries, only two listeners are required: one with an IPv4 address that handles UDP traffic and one with an IPv6 address that handles UDP traffic.
However, the best practice is to create four listeners, which allows DNS Express to handle zone transfers, should you decide to use this feature. DNS zone transfers use TCP port
53
. With this configuration, you create one listener with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that handles TCP traffic. You also create one listener with an IPv6 address that handles UDP traffic, and one with the same IPv6 address that handles TCP traffic.
If you have multiple BIG-IP DNS systems in a device group, perform these steps on only one system.
These steps apply only to BIG-IP DNS-provisioned systems.
  1. On the Main tab, click
    DNS
    Delivery
    Listeners
    .
    The Listeners List screen opens.
  2. Click
    Create
    .
    The Listeners properties screen opens.
  3. In the
    Name
    field, type a unique name for the listener.
  4. For the Destination setting, in the
    Address
    field, type an IPv4 address on which the BIG-IP system listens for DNS queries.
  5. From the
    Listener
    list, select
    Advanced
    .
  6. If you are using SNATs on your network, from the
    Source Address Translation
    list, select
    SNAT
    .
  7. Optional: If you are using NATs on your network, for the
    Address Translation
    setting, select the
    Enabled
    check box.
  8. Optional: If you are using port translation on your network, for the
    Port Translation
    setting, select the
    Enabled
    check box.
  9. In the Service area, from the
    Protocol
    list, select
    UDP
    .
  10. In the Service area, from the
    DNS Profile
    list, select either
    dns
    or a custom DNS profile configured for DNS Express.
  11. Click
    Finished
    .
Create another listener with the same IPv4 address and configuration, but select
TCP
from the
Protocol
list. Then, create two more listeners, configuring both with the same IPv6 address, but one with the UDP protocol and one with the TCP protocol.

Creating virtual servers to process DNS queries

Create virtual servers to process the DNS queries that DNS Express handles. When DNS Express is only answering DNS queries, only two virtual servers are required: one with an IPv4 address that handles UDP traffic and one with an IPv6 address that handles UDP traffic.
However, the best practice is to create four listeners, which allows DNS Express to handle zone transfers, should you decide to use this feature. DNS zone transfers use TCP port
53
. With this configuration, you create one virtual server with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that handles TCP traffic. You also create one virtual server with an IPv6 address that handles UDP traffic, and one with the same IPv6 address that handles TCP traffic.
These steps apply only to LTM-provisioned systems.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address/Mask
    field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address for this field needs to be on the same subnet as the external self-IP.
  5. In the
    Service Port
    field, type
    53
    .
  6. From the
    Protocol
    list, select
    UDP
    .
  7. Optional: If you are using SNATs on your network, from the
    Source Address Translation
    list, select
    SNAT
    .
  8. Optional: From the
    SNAT pool
    list, select the name of an existing SNAT pool.
  9. From the
    Configuration
    list, select
    Advanced
    .
  10. From the
    DNS Profile
    list, select either
    dns
    or the custom DNS profile you created for DNS Express.
  11. Click
    Finished
    .
Create another virtual server with the same IPv4 address and configuration, but select
TCP
from the
Protocol
list. Then, create two more virtual servers, configuring both with the same IPv6 address, but one with the UDP protocol and one with the TCP protocol.

Viewing DNS zone statistics

You can view information about DNS zones.
  1. On the Main tab, click
    Statistics
    Module Statistics
    DNS
    Zones
    .
    The Zones statistics screen opens.
  2. From the
    Statistics Type
    list, select
    Zones
    .
    Information displays about the traffic handled by the zones in the list.
  3. In the Details column for a zone, click
    View
    .
    Read the online help for an explanation of the statistics.

Viewing DNS cache statistics

Ensure that you have created a DNS cache and a DNS profile and have assigned the profile to either an LTM virtual server or a BIG-IP DNS listener.
You can view DNS cache statistics to determine how well a specific cache on the BIG-IP system is performing.
  1. On the Main tab, click
    Statistics
    Module Statistics
    DNS
    Caches
    .
    The DNS Caches Status Summary screen opens.
  2. From the
    Statistics Type
    list, select
    Caches
    .
  3. In the Details column for a cache, click
    View
    to display detailed information about the cache.

About configuring the BIG-IP system as an RPZ distribution point

You can configure an RPZ on the BIG-IP system and allow other nameservers to perform zone transfers of the RPZ.
DNS Express supports only full zone transfers (AXFRs); therefore, transferring an RPZ from the BIG-IP system to another nameserver creates additional traffic on your internal network.

Task summary

Configuring the BIG-IP system as a distribution point for an RPZ

Ensure that you have created a DNS Express zone for the RPZ.
Enable the DNS Express zone for the RPZ to be a distribution point on your network to allow other nameservers to perform zone transfers of the RPZ.
  1. On the Main tab, click
    DNS
    Zones
    .
    The Zone List screen opens.
  2. Click the name of the zone you want to modify.
  3. In the Zone Transfer Clients area, move the nameservers that can initiate zone transfers from the
    Available
    list to the
    Active
    list.
  4. Optional: From the
    TSIG Key
    list, select the TSIG key you want the BIG-IP system to use to validate zone transfer traffic.
  5. Click
    Update
    .

Enabling the BIG-IP system to respond to zone transfer requests

To enable the BIG-IP system to respond to zone transfer requests for an RPZ zone, create a custom DNS profile.
  1. On the Main tab, click
    DNS
    Delivery
    Profiles
    DNS
    .
    The DNS profile list screen opens.
  2. Click
    Create
    .
    The New DNS Profile screen opens.
  3. In the General Properties area, name the profile
    dns_zxfr
    .
  4. Select the
    Custom
    check box.
  5. In the DNS Traffic area, from the
    Zone Transfer
    list, select
    Enabled
    .
  6. Click
    Finished
    .

Creating listeners to handle zone transfer requests for an RPZ

Determine which DNS nameservers will make zone transfer requests for an RPZ.
Create listeners to alert the BIG-IP system to zone transfer requests for an RPZ.
DNS zone transfers use TCP port
53
.
This task applies only to BIG-IP DNS-provisioned systems.
  1. On the Main tab, click
    DNS
    Delivery
    Listeners
    .
    The Listeners List screen opens.
  2. Click
    Create
    .
    The Listeners properties screen opens.
  3. In the
    Name
    field, type a unique name for the listener.
  4. For the Destination setting, in the
    Address
    field, type the IPv4 address on which the BIG-IP system listens for DNS zone transfer requests for a zone hosted on pool of DNS servers.
  5. From the
    Listener
    list, select
    Advanced
    .
  6. From the
    VLAN Traffic
    list, select
    All VLANs
    .
  7. If you are using SNATs on your network, from the
    Source Address Translation
    list, select
    SNAT
    .
  8. Optional: If you are using NATs on your network, for the
    Address Translation
    setting, select the
    Enabled
    check box.
  9. Optional: If you are using port translation on your network, for the
    Port Translation
    setting, select the
    Enabled
    check box.
  10. In the Service area, from the
    Protocol
    list, select
    TCP
    .
  11. In the Service area, from the
    DNS Profile
    list, select
    dns_zxfr
    (the custom profile you created to enable the BIG-IP system to process zone transfer requests).
  12. Click
    Repeat
    .
  13. Create another listener with the same settings, except using a different name and an IPv6 address.
  14. Click
    Finished
    .

Creating virtual servers to handle zone transfer requests for an RPZ

Determine which DNS nameservers will make zone transfer requests for an RPZ.
Create virtual servers to alert the BIG-IP system to zone transfer requests for a RPZ.
DNS zone transfers use TCP port
53
.
This task applies only to LTM-provisioned systems.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address/Mask
    field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address for this field needs to be on the same subnet as the external self-IP.
  5. In the
    Service Port
    field, type
    53
    .
  6. From the
    Protocol
    list, select
    UDP
    .
  7. Optional: If you are using SNATs on your network, from the
    Source Address Translation
    list, select
    SNAT
    .
  8. Optional: From the
    SNAT pool
    list, select the name of an existing SNAT pool.
  9. From the
    Configuration
    list, select
    Advanced
    .
  10. From the
    DNS Profile
    list, select the custom DNS profile you created.
  11. Click
    Finished
    .
Create another virtual server with the TCP protocol, but use an IPv6 address and configuration.