Manual Chapter :
Configuring DNS Response Policy Zones
Applies To:
Show VersionsBIG-IP LTM
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP DNS
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Configuring DNS Response Policy Zones
Overview: DNS response policy zones and the BIG-IP system
The BIG-IP system can utilize a domain name service (DNS) response
policy zone (RPZ) as a firewall mechanism. An RPZ is a zone that contains a list of known
malicious Internet domains. The list includes a resource record set (RRset) for each malicious
domain. Each RRset includes the names of the malicious domain and any subdomains of the
domain.
When the BIG-IP system receives a DNS query for a domain that is on the malicious domain list
of the RPZ, the system responds in one of two ways based on your configuration. You can
configure the system to return an NXDOMAIN record that indicates that the domain does not
exist.
Alternatively, you can configure the system to return the response that directs the user to a
walled garden.
About creating an RPZ
using ZoneRunner
There are a number of vendors that host response policy zones (RPZs). The
BIG-IP system supports RPZ vendors. F5 has tested the BIG-IP system with the vendors Spamhaus (
http://www.spamhaus.org/organization/dnsblusage/
)
and SURBL (http://www.surbl.org/df
). If
you do not want to purchase a subscription from a vendor, you can use ZoneRunner on the BIG-IP system to create a custom RPZ. ZoneRunner is available
only with a BIG-IP DNS license.
Task summary
Creating a custom RPZ using ZoneRunner
Determine the host name and IP address of the BIG-IP system on
which you are configuring the RPZ.
These steps can be performed only
on a BIG-IP system that is licensed for BIG-IP DNS.
You can create your own RPZ when you do not want to subscribe to an RPZ vendor.
- On the Main tab, click.The Zone List screen opens.
- ClickCreate.The New Zone screen opens.
- From theView Namelist, selectexternal.The external view is a default view to which you can assign zones.
- In theZone Namefield, type a name for the zone file.For example, to replicate the format of Spamhaus and SURBL DSN RPZ names, typerpz.myblacklist.org
- From theZone Typelist, selectMaster.
- Clear theZone File Namefield, and type the zone file name.db.external.rpz.blacklist.org
- In theOptionsfield, add an also-notify statement to ensure that BIND notifies DNS Express when the zone is updated; for example:also-notify { ::1 port 5353; };
- In the SOA Record section, type values for the record fields:
- In theTTLfield, type the default time-to-live (TTL) for the records in the zone.
- In theMaster Serverfield, type the name of the BIG-IP DNS on which you are configuring this zone.
- In the NS Record section, type values for the record fields:
- In theTTLfield, type the time-to-live (TTL) for the nameserver record.
- In theNameServerfield, type the name of the BIG-IP DNS on which you are configuring this zone.
- ClickFinished.
Add resource records that represent known malicious domains to your custom RPZ.
Adding resource
records to a custom RPZ
Determine the names of the known malicious domain names that you want to include in
your custom DNS response policy zone (RPZ).
These steps can
be performed only on a BIG-IP system that is licensed for BIG-IP DNS.
For each malicious domain that you want to add your custom RPZ,
create a resource record for the domain. Additionally, you can add a wildcard
resource record to represent all subdomains of the malicious domain.
- On the Main tab, click.The Zone List screen opens.
- Click the name of a custom RPZ to which you want to add malicious zone names.The Zone Properties screen opens.
- ClickAdd Resource Record.The New Resource Record screen opens.
- In theNamefield, type the name of the malicious domain in front of the RPZ zone name that displays:[zone_name].rpz.myblacklist.org..maliciouszone.com.rpz.myblacklist.org.for the domain name or*.maliciouszone.com.rpz.myblacklist.org.for the subdomains.
- In theTTLfield, type the time-to-live (TTL) for the CNAME record.
- From theTypelist, selectCNAME.
- In theCNAMEfield, type.
- ClickFinished.
- Create additional resource records for each malicious domain that you want to include in your customer RPZ. Remember to create a resource record for the domain and a resource record for the subdomains.
You can now implement your RPZ on the BIG-IP
system or on an external name server.
About configuring the
BIG-IP system to use an RPZ as a DNS firewall
With an RPZ configuration, the BIG-IP system filters DNS queries for domains that are known to be malicious and returns
custom responses that direct those queries away from the malicious domain.
Task summary
Optional: Adding a TSIG key for the server that hosts the RPZ
Before adding a TSIG key for a DNS server that hosts an RPZ:
- Ensure that the DNS server is configured to allow the BIG-IP system to perform zone transfers.
- Ensure that the time on the systems that use TSIG keys are synchronized.
- Obtain the TSIG key for each DNS server.
Add a TSIG key to the BIG-IP system configuration, when you want to validate zone transfer
communications between DNS Express and a DNS server hosting an RPZ.
- On the Main tab, click.The TSIG Key List screen opens.
- ClickCreate.The New TSIG Key screen opens.
- In theNamefield, type the name of the TSIG key.
- From the Algorithm list, select the algorithm that was used to generate the key.
- In theSecretfield, type the TSIG key secret.
- ClickFinished.
Add the TSIG key to the DNS nameserver that represents the RPZ on the BIG-IP
system.
Adding a nameserver
object for the server that hosts the RPZ
Obtain the IP address of the authoritative DNS server that hosts the DNS response
policy zone (RPZ).
When you want to transfer an RPZ from an
authoritative DNS server into the DNS Express engine, add a nameserver object that
represents the server that hosts the zone.
- On the Main tab, click.The Nameservers List screen opens.
- ClickCreate.The New Nameserver screen opens.
- In theNamefield, type a name for the authoritative DNS server.
- In theAddressfield, type the IP address on which the DNS server listens for DNS messages.If the RPZ is hosted on BIND on the BIG-IP system, use the namelocalhostand the defaultAddress127.0.0.1andService Port53.
- From theTSIG Keylist, select the TSIG key that matches the TSIG key on this DNS server.The BIG-IP system uses this TSIG key to sign zone transfer requests to the DNS server hosting the zone.
- ClickFinished.
Create a DNS Express zone and add the nameserver
object to the zone.
Creating an RPZ DNS Express zone
Before you create the DNS Express zone:
- Ensure that the authoritative DNS server that currently hosts the DNS response policy zone (RPZ) is configured to allow zone transfers to the BIG-IP system.
- Ensure a nameserver object that represents that authoritative DNS server exists in the BIG-IP system configuration.
- Determine the name you want to use for the DNS Express zone. The zone name must match the zone name on the authoritative DNS server exactly.Zone names are case insensitive.
Create a DNS Express zone on the BIG-IP system when you want to
transfer an RPZ into DNS Express.
- On the Main tab, click.The Zone List screen opens.
- ClickCreate.The New Zone screen opens.
- In theNamefield, type the name of the DNS zone.The name must begin and end with a letter and contain only letters, numbers, and the period and hyphen (-) characters.
- In the DNS Express area, from theServerlist, select the authoritative primary DNS server that currently hosts the zone.The DNS Express engine requests zone transfers from this server.
- Select theResponse Policycheck box.
- ClickFinished.
Creating a DNS cache
Ensure that the global DNS settings are configured based on your network architecture.
Create a DNS cache on the BIG-IP system when you want to
utilize an RPZ to protect your network from known malicious domains.
- On the Main tab, click.The DNS Cache List screen opens.
- ClickCreate.The New DNS Cache screen opens.
- In theNamefield, type a name for the cache.
- From theResolver Typelist, select one of three types:OptionDescriptionResolverResolves a DNS request and stores the response in the DNS cache.Validating ResolverResolves a DNS request, verifies the response using a DNSSEC key, and stores the response in the DNS cache.Transparent (None)Sends a DNS request to a DNS server for resolution, and stores the response in the DNS cache.
- ClickFinished.
Adding a local zone
to represent a walled garden
Ensure that a DNS cache with which you are implementing the RPZ is configured on the
BIG-IP system.
Obtain the resource records for the walled garden
zone on your network.
When you want the BIG-IP system to redirect DNS
queries for known malicious domains to a specific domain, add a local zone that
represents a walled garden on your network to the DNS cache you will use to implement an
RPZ.
- On the Main tab, click.The DNS Cache List screen opens.
- Click the name of the cache you want to modify.The properties screen opens.
- On the menu bar, clickLocal Zones.The Local Zones screen opens.
- Click theAddbutton.
- In theNamefield, type the domain name of the walled garden on your network.The domain you enter must be the exact name you want to use for the walled garden. Ensure that you use a zone name that does not match any other resources on your network, for example,walledgarden.siterequest.com.
- From theTypelist, selectStatic.
- In the Records area, specify a resource record to identify the local zone, including domain name, type, class, TTL, and record data, separated by spaces, and then clickAdd.For example, if the local zone name is walledgarden.siterequest.com, then this is an example of an A record entry:walledgarden.siterequest.com. IN A 10.10.10.124, and this is an example of a AAAA record entry:walledgarden.siterequest.com. IN AAAA 2002:0:1:12:123:c:cd:cdf.
- ClickFinished.
Adding an RPZ to a
DNS cache
If you want the BIG-IP system to redirect DNS queries for known
malicious domains to a specific location, ensure that you have associated a local
zone that represents the RPZ with the DNS cache.
Add an RPZ to a DNS cache on the BIG-IP system
when you want to protect your network from known malicious domains.
- On the Main tab, click.The DNS Cache List screen opens.
- Click the name of the cache you just created.The properties screen opens.
- On the menu bar, clickResponse Policy Zones.The Response Policy Zones screen opens.
- Click theAddbutton.
- From theZonelist, select an RPZ.
- From theActionlist, select an action:OptionDescriptionNXDOMAINResolves a DNS query for a malicious domain found in the RPZ with an NXDOMAIN response, which states that the domain does not exist.walled-gardenResolves a DNS query for a malicious domain found in the RPZ by providing an A or AAAA record response, which redirects the query to a known host.
- If you selected the type Walled Garden, from theWalled Garden IPlist, select the local zone that represents the walled garden on your network.
- ClickFinished.
Staging the RPZ on your network
Ensure that a DNS cache configured with an RPZ exists on the system.
When you want to test how using an RPZ affects your network environment, modify the
RPZ by enabling the
Logs and Stats Only
setting. - On the Main tab, click.The DNS Cache List screen opens.
- Click the name of the cache you want to modify.The properties screen opens.
- On the menu bar, clickResponse Policy Zones.The Response Policy Zones screen opens.
- Click the name of the RPZ you want to modify.
- Select theLogs and Stats Onlycheck box.When checked, queries that match a malicious domain in the RPZ list are logged and statistics are created; however, RPZ policies are not enforced. That is, when a DNS query matches a malicious domain in the RPZ list, the system does not return an NXDOMAIN response or redirect the query to a walled garden.System performance is affected even whenLogs and Stats Onlyis selected. This is because the system still performs RPZ lookups.
- ClickFinished.
Creating a custom DNS profile for DNS caching
Ensure that at least one DNS cache exists on the BIG-IP
system.
You can create a custom DNS profile to configure the BIG-IP system to cache
responses to DNS queries.
- On the Main tab, click.The DNS profile list screen opens.
- ClickCreate.The New DNS Profile screen opens.
- In theNamefield, type a unique name for the profile.
- In the General Properties area, from theParent Profilelist, accept the defaultdnsprofile.
- Select theCustomcheck box.
- In the DNS Features area, from theDNS Cachelist, selectEnabled.When you enable theDNS Cacheoption, you must also select a DNS cache from theDNS Cache Namelist.
- In the DNS Features area, from theDNS Cache Namelist, select the DNS cache that you want to associate with this profile.You can associate a DNS cache with a profile, even when theDNS Cacheoption, isDisabled.
- ClickFinished.
Creating listeners to identify DNS queries
Create listeners to identify the DNS queries that DNS Express handles. When DNS Express is only answering DNS queries, only two listeners are
required: one with an IPv4 address that handles UDP traffic and one with an IPv6 address
that handles UDP traffic.
However, the best practice is to create four listeners,
which allows DNS Express to handle zone transfers, should you decide to use this
feature. DNS zone transfers use TCP port
53
. With this
configuration, you create one listener with an IPv4 address that handles UDP
traffic, and one with the same IPv4 address that handles TCP traffic. You also
create one listener with an IPv6 address that handles UDP traffic, and one with the
same IPv6 address that handles TCP traffic. If you have
multiple BIG-IP
DNS systems in a device group, perform these steps on only one
system.
These steps apply only to BIG-IP DNS-provisioned systems.
- On the Main tab, click.The Listeners List screen opens.
- ClickCreate.The Listeners properties screen opens.
- In theNamefield, type a unique name for the listener.
- For the Destination setting, in theAddressfield, type an IPv4 address on which the BIG-IP system listens for DNS queries.
- From theListenerlist, selectAdvanced.
- If you are using SNATs on your network, from theSource Address Translationlist, selectSNAT.
- Optional: If you are using NATs on your network, for theAddress Translationsetting, select theEnabledcheck box.
- Optional: If you are using port translation on your network, for thePort Translationsetting, select theEnabledcheck box.
- In the Service area, from theProtocollist, selectUDP.
- In the Service area, from theDNS Profilelist, select eitherdnsor a custom DNS profile configured for DNS Express.
- ClickFinished.
Create another listener with the same IPv4
address and configuration, but select
TCP
from the
Protocol
list. Then, create two more listeners, configuring
both with the same IPv6 address, but one with the UDP protocol and one with the TCP
protocol.Creating virtual servers to process DNS queries
Create virtual servers to process the DNS queries that DNS Express handles. When
DNS Express is only answering DNS queries, only two virtual servers are required: one
with an IPv4 address that handles UDP traffic and one with an IPv6 address that handles
UDP traffic.
However, the best practice is to create four listeners, which allows DNS
Express to handle zone transfers, should you decide to use this feature. DNS zone
transfers use TCP port
53
. With this configuration, you
create one virtual server with an IPv4 address that handles UDP traffic, and one
with the same IPv4 address that handles TCP traffic. You also create one virtual
server with an IPv6 address that handles UDP traffic, and one with the same IPv6
address that handles TCP traffic. These steps apply only to
LTM-provisioned systems.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address for this field needs to be on the same subnet as the external self-IP.
- In theService Portfield, type53.
- From theProtocollist, selectUDP.
- Optional: If you are using SNATs on your network, from theSource Address Translationlist, selectSNAT.
- Optional: From theSNAT poollist, select the name of an existing SNAT pool.
- From theConfigurationlist, selectAdvanced.
- From theDNS Profilelist, select eitherdnsor the custom DNS profile you created for DNS Express.
- ClickFinished.
Create another virtual server with the same IPv4 address and configuration, but select
TCP
from the Protocol
list. Then, create two more
virtual servers, configuring both with the same IPv6 address, but one with the UDP
protocol and one with the TCP protocol.Viewing DNS zone statistics
You can view information about DNS zones.
- On the Main tab, click.The Zones statistics screen opens.
- From theStatistics Typelist, selectZones.Information displays about the traffic handled by the zones in the list.
- In the Details column for a zone, clickView.Read the online help for an explanation of the statistics.
Viewing DNS cache statistics
Ensure that you have created a DNS cache and a DNS profile and have assigned the
profile to either an LTM virtual server or a BIG-IP DNS listener.
You can view DNS cache statistics to determine how well a specific cache on the BIG-IP system is performing.
- On the Main tab, click.The DNS Caches Status Summary screen opens.
- From theStatistics Typelist, selectCaches.
- In the Details column for a cache, clickViewto display detailed information about the cache.
About configuring the
BIG-IP system as an RPZ distribution point
You can configure an RPZ on the BIG-IP system and allow other nameservers to perform zone transfers of the RPZ.
DNS Express supports only full zone transfers
(AXFRs); therefore, transferring an RPZ from the BIG-IP system to another nameserver creates
additional traffic on your internal network.
Task
summary
Configuring the BIG-IP
system as a distribution point for an RPZ
Ensure
that you have created a DNS Express zone for the RPZ.
Enable the DNS Express zone for the RPZ to be a distribution point on your network to allow
other nameservers to perform zone transfers of the RPZ.
- On the Main tab, click.The Zone List screen opens.
- Click the name of the zone you want to modify.
- In the Zone Transfer Clients area, move the nameservers that can initiate zone transfers from theAvailablelist to theActivelist.
- Optional: From theTSIG Keylist, select the TSIG key you want the BIG-IP system to use to validate zone transfer traffic.
- ClickUpdate.
Enabling the BIG-IP system to respond to zone transfer requests
To enable the BIG-IP system to respond to zone transfer
requests for an RPZ zone, create a custom DNS profile.
- On the Main tab, click.The DNS profile list screen opens.
- ClickCreate.The New DNS Profile screen opens.
- In the General Properties area, name the profiledns_zxfr.
- Select theCustomcheck box.
- In the DNS Traffic area, from theZone Transferlist, selectEnabled.
- ClickFinished.
Creating listeners to handle zone transfer requests for an RPZ
Determine which DNS nameservers will make zone transfer requests for an
RPZ.
Create listeners to alert the BIG-IP system to zone transfer
requests for an RPZ.
DNS zone transfers use TCP port
53
. This task applies only to BIG-IP DNS-provisioned
systems.
- On the Main tab, click.The Listeners List screen opens.
- ClickCreate.The Listeners properties screen opens.
- In theNamefield, type a unique name for the listener.
- For the Destination setting, in theAddressfield, type the IPv4 address on which the BIG-IP system listens for DNS zone transfer requests for a zone hosted on pool of DNS servers.
- From theListenerlist, selectAdvanced.
- From theVLAN Trafficlist, selectAll VLANs.
- If you are using SNATs on your network, from theSource Address Translationlist, selectSNAT.
- Optional: If you are using NATs on your network, for theAddress Translationsetting, select theEnabledcheck box.
- Optional: If you are using port translation on your network, for thePort Translationsetting, select theEnabledcheck box.
- In the Service area, from theProtocollist, selectTCP.
- In the Service area, from theDNS Profilelist, selectdns_zxfr(the custom profile you created to enable the BIG-IP system to process zone transfer requests).
- ClickRepeat.
- Create another listener with the same settings, except using a different name and an IPv6 address.
- ClickFinished.
Creating virtual servers to handle zone transfer requests for an RPZ
Determine which DNS nameservers will make zone transfer requests for an RPZ.
Create virtual servers to alert the BIG-IP system to zone transfer requests for a
RPZ.
DNS zone
transfers use TCP port
53
. This task applies only to LTM-provisioned
systems.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address for this field needs to be on the same subnet as the external self-IP.
- In theService Portfield, type53.
- From theProtocollist, selectUDP.
- Optional: If you are using SNATs on your network, from theSource Address Translationlist, selectSNAT.
- Optional: From theSNAT poollist, select the name of an existing SNAT pool.
- From theConfigurationlist, selectAdvanced.
- From theDNS Profilelist, select the custom DNS profile you created.
- ClickFinished.
Create another virtual server with the
TCP protocol, but use an IPv6 address and configuration.