Page tree

Contents

A note about DNS Firewall accounts. If your account is brand new – and was not setup through our sales team – it will not have DNS Firewall support by default. To have this enabled you will need to contact our sales team to have your account flagged for DNS Firewall access.

Policies & Lists

The Policies & Lists screen is comprised of five tabs for DNS Firewall based accounts:

  • Policies: Any policies associated with the account, will be displayed here, and new policies may be added by clicking + Add Policy.
    Policies themselves are constructed from target lists.
  • DNS FW Policy: DNS Firewall policies or RPZs are used to block or allow communications with IP addresses associated with a Domain Name. The zones are pulled by DNS servers and contain host names, domains, and IP addresses which are referenced to control communications with a target.
  • User-Defined Lists: When you have generated one or more custom lists of IPs they will display in this tab. Custom lists provide a great deal of control over the communications allowed with your internal network. The type of list will determine the action taken against a particular target IP. These lists define IP addresses specific to your needs, and will work in conjunction with ThreatSTOP's pre-defined lists.
  • User-Defined Domains: Similar to User-Defined Lists, User-Defined Domains instead contain lists of human readable references for IP address groups. These lists can be set to allow or block communications with IP address blocks associated with a Domain Name. These lists define RPZs specific to your needs, and will work in conjunction with ThreatSTOP's pre-defined lists. More information on the available action types can be found under RPZ Behaviors.
  • RPZ Behaviors: This tab allows for the definition of actions to be applied to a DNS Firewall Policy. As an example, the predefined behavior NXDOMAIN tells the DNS firewall to repond with a "non-existant" message to any communications attempts from a target on the DNS Firewall list.

Policies including DNS Firewall Policies can be generated using any combination of our pre-defined lists, your custom defined lists and domains, or a combination of both.

Policy summaries are broken down into individual statistics and descriptions as explained in Create/Edit Policy.

Create/Edit Policy

The Create and Edit Policy pop-ups are used to create and maintain custom ThreatSTOP policies. There are two available modes for policy creation, Standard and Expert. Standard mode allows a user to quickly create a ThreatSTOP policy to be used for protection in a firewall configuration. Expert mode allows for the creation of a custom ThreatSTOP policy, but is slightly more complex to setup. This can allow for policies that allow access to slightly more hazardous IP spaces while denying IPs that are known to the System Administrator to be bad.

The window itself is comprised of the following fields:

  • Policy name: A brief name to apply to the policy. For example "Block0". Changing this name will require a setup on the devices using the policy.
  • Description: A brief description of what the policy is intended to accomplish.
  • Standard Mode/Expert Mode switch: On the right side of the header is the switch to change between Standard and Expert modes. Changing this will require you to reselect your policies. It will also reload the pop-up.
  • Policy Summary: The right-side of the pop-up houses the Policy Summary box. This box gives a high-level overview of your selected policy, and allows removal of individual selections without requiring that the policy be found in the master list. Summarized information provided includes:
    • Num of IP's: The total number of IP addresses being blocked by your active policy decisions.
    • Number of records: Number of subnets required to block the IP records being blocked or allowed.
    • Block Group: Shows any lists of blocked IPs that have been added to the policy being created.
    • Allow Group: Shows any lists of allowed IPs that have been added to the policy being created.
    • Customer Group: Shows any lists generated by the customer that have been added to the policy being created.
  • Block: The Block tab shows available target lists of IPs. Ticking the box next to the list name will add that list to the policy to be generated and used by your instance of ThreatSTOP. These IPs will be denied any communication (to or from) your internal network provided that exceptions are not set in the Allow lists. This effectively hides your network from cybercriminals.
  • Allow: The Allow tab lists available target IPs. Ticking the box next to the list name will add that list to the policy to be generated and used by your instance of ThreatSTOP. IPs on this list will be able to receive information from inside your network (allowing "dial homes") from any malware active in your system. But the IPs in question may not be able to communicate back depending on your Block list settings.

    Note:

     Lists come in three types:

    • Threat: Threat lists are lists comprised of known malicious IPs.
    • Geo: Geo lists block entire Geographical regions, regardless of whether communications from that region have been hostile or friendly.
    • User-Defined: Allow or block communications with IP ranges that are defined by the user.
  • Devices: Lists any devices that have been setup to use the ThreatSTOP service. For more information on setting up devices see Adding a Device.

Setting Up a Policy

Policies combine target lists to define the Fully Qualified Domain Names (FQDNs) to which communications are regulated. Unlike a traditional IP firewall DNS Firewalls regulate outbound traffic, without regulating inbound traffic. Attempts to contact regulated domains can be adjusted to meet predefined behaviors, by default ThreatSTOP provides four settings (respond with no such domain, drop all communications, don't provide data, or pass data through).

To set a Policy:

  1. Click on the Policies tab towards the top of the window.
  2. Click on + Add Policy.
    The Create Policy pop-up will appear.
  3. Enter a name for your new policy in the Policy name field.
  4. Type a brief description of your policy in the Description field. This will help you focus on what you are looking to accomplish with your policy.
    For example, "Block Malware, Botnets, and TOR" could help you remember to tick the boxes under Malware, Botnets, and Anonymous proxies.
  5. Determine the type of policy that you would prefer. Standard or Expert. Toggle the usage mode appropriately.
  6. Locate and tick the boxes next to the groups you want to Block from communicating with your network.
  7. Click on Allow. Then determine if there are any exceptions that you wish to set for the blocked networks on your list, tick the boxes next to them.
  8. Once you have your firewall policy defined to your liking click Submit.
    This will add your policy name to the Policy field in the device setup section (covered in Adding a Device).

    Note:

     Changes to an established policy will take about 15 minutes before propagating to the device.

User-Defined Lists

User-defined lists are unique IP address groups created by you and are unique to your account.

Block Lists are made up of IP addresses that should not be able to communicate.

An Allow List may be needed for communication with a known limited IP range in an otherwise questionable IP address space. Due to the level of expertise required to establish a proper custom list, further information can be found in Establishing Custom Policies.

To Create a User-Defined List

Creating a User-Defined List happens through the Create List pop-up window. Since this is a relatively advanced process, familiarity with the system is going to be assumed and only the field descriptions will be supplied:

  • List Name: A brief descriptive name for the list, this field has a limitation of eight characters. For example: "Block0".
  • Description: A slightly longer description of the goal of this list.
  • List Type: The type of list being created. Two possibilities exist: Block, and Allow. Block is selected by default.
  • IP/Netmask: This shows the IP and Netmask of any blocked IPs in CIDR format.
  • Number of IP Addresses: Shows how many addresses are in the entry.
  • Comments: Denotes why an entry was made.
  • Actions: Two options will display in this field. Edit () and Delete (). Clicking edit allows the IP address range comments to be modified. After editing click on the Save icon () to commit the changes to the list before clicking Done to save the list.

Additionally two tabs are available under the Add more records: section:

  • Individual IP: Individual IP can be used to add a single IP address using the following fields:
    • IP/netmask: The range of addresses should be entered here. The field uses standard CIDR format, so the initial IP to block should be entered followed by a / and the subnet mask (in bits) of the range to block after that. For example: 192.168.0.0/24 would mean 192.168.0.0 - 192.168.1.255.

    • Comment: Optional comment for the IP being added.
  • Multiple IPs: If multiple IP address ranges are to be added, you can save time by entering them in CIDR format here. Followed by a space and any applicable comments. For example: 192.168.0.0/24 No one's talking to this network.

User-Defined Domains

Domains added to custom DNS FW Policy and Behaviors defined by the user. After a Domain has been defined the following summary information will be displayed:

  • User List: The user-defined name for the Domain list. This should be short and descriptive of what the list does.
  • Number of Domains: The number of domains on the list.
  • Number of Records: The total number of records on the list this will always equal the number of domains on User-Defined lists.
  • List Type: Shows the type of list created. For DNS firewall records this will always be RPZ.
  • Actions: Two options will display in this field. Edit () and Delete (). Clicking edit allows the Domain Name and comments to be modified. After editing click on the Save icon () to commit the changes to the list before clicking Done to save the list.

New User-Defined Domains may be added by clicking + Add User Domains List which will open the Create List window.

Create/Edit a User-Defined Domain List

Creating a User-Defined Domain List happens through the Create List pop-up window. Since this is a relatively advanced process, familiarity with the system is going to be assumed and only the field descriptions will be supplied:

  • List Name: A brief descriptive name for the list this field has a limitation of eight characters. For example: "Block0"
  • Description: A slightly longer description of the goal of this list.
  • Domain: Once domains have been added to the list, this field will list the FQDN having action taken against it.
  • Comments: Denotes why the entry was made.
  • Actions: Two options will display in this field. Edit () and Delete (). Clicking edit allows the domain and comments to be modified. After editing click on the Save icon () to commit the changes to the list before clicking Done to save the list.
  • Delete All: Empties the contents of the list being modified.
  • Update All: Loads the list into the Multiple Domains tab (described below) and allows for the entire list to be edited in bulk.
  • Add more records: Add more records allows for the addition of records to a given list through two tabs.
    • Individual Domain: Allows for a single domain to be added to the list. After adding the information below click Add to move the information into the list.
      • Domain: The domain name of the service to be blocked or allowed to communicate. This is a human readable domain that may comprise multiple IP Addresses, and will effectively block an entire service from being used, or only allow that service to be used.
      • Comment: Use this field to note why a behavior is being taken against the specified domain.
  • Multiple Domains: If multiple domains need to be added in bulk, it can be done by clicking on this tab. Copy and paste the domains to have action taken against them into this field. The formatting for this field is: <Domain Name> <Comment> with one entry per line.

Once a list has been added it may be edited by clicking the Edit button. This will place the Domain and Comments fields into an editable format and changes may be entered. From there you can click Save to place the changed data back into the list.

DNS FW Policy

This tab displays the DNS FW Policy associated with your account. On a new account seven predefined policies are set up, with the ability to add new policies through the + Add Policy button. The fields presented display the following data:

  • Policy Name: The user generated name for the policy.
  • Number of IPs: The number of IPs blocked by this policy.
  • Number of Records: How many records are on file with ThreatSTOP that contain the IP addresses blocked.

Create/Edit DNS Firewall Policy

Much like the standard Create and Edit Policy pop-ups for non-DNS firewalls. The Create and Edit DNS FW Policy pop-ups allow for the custom definition of DNS firewall behaviors. There are minor differences in how DNS firewalls handle data and this functionality is controlled through the Default Behavior and individual Behavior dropdowns, as defined below:

  • Policy name: A brief name to apply to the policy. For example "Block0". Changing this name will require a new configuration on devices designated to use the policy.
  • Description: A brief description of what the policy is intended to accomplish.
  • Default Behavior: This sets the default setting for the Behavior tabs next to each Target List. These behaviors are detailed in the RPZ Behaviors section.
  • Standard Mode/Expert Mode switch: On the right side of the header is the switch to change between Standard and Expert modes. Changing this will require you to reselect your policies. It will also reload the pop-up.
  • Policy Summary: The right-side of the pop-up houses the Policy Summary box. This box gives a high-level overview of your selected policy, and allows removal of parts of that policy without requiring that the policy be found in the master list. Summarized information provided includes:
    • Behavior: The Behavior of a firewall rule determines how data associated with a Domain Name is handled. There are four basic behaviors defined by ThreatSTOP and may be more if additional behaviors have been created in the RPZ Behaviors tab. The base behaviors are explained in RPZ Behaviors but the base list is:
      • NXDOMAIN
      • NODATA
      • PASSTHRU
      • DROP
    • Num of IP's: The total number of IP addresses being blocked by your active policy decisions.
    • Number of records: Number of subnets required to block the IP records being blocked or allowed.

RPZ Behaviors

This tab allows the user to select what behaviors your DNS FW Policy exhibit. The behaviors are used in the policy action drop-down when a policy is being created or edited. Behaviors can be added by clicking + Add Behavior.

The tab is comprised of three fields and defaults with four behavior types.

  • Name: A short descriptive name for the behavior. Four behaviors are defined by default:
    • NXDOMAIN: Returns a message saying that this domain does not exist.
    • NODATA: Returns no data to inquiries about the domain's existence.
    • PASSTHRU: Packets from domains associated with this rule will be allowed to communicate with services inside your network.
    • DROP: Packets from domains associated with this rule will receive no response. The data is simply dropped, and your network appears to be down or otherwise invisible from the attacker's perspective.
  • Behavior: The actual firewall rule applied to handle the data being processed per the listed behavior.
  • Actions: Two options will display in this field. Edit () and Delete (). Clicking edit allows the custom rule to be modified. After editing click on the Save icon () to commit the changes to the list before clicking Done to save the list.

Create Behavior

Clicking the + Add Behavior button or edit icon from the RPZ Behaviors tab launches the Edit Behavior pop-up window. This window consists of two fields:

  • Name: This should be set to a brief descriptive name of the firewall rule.
  • Behavior: Add the firewall rule to be used on data associated with this behavior type. Examples of behaviors that can be applied are listed in the top of the window.

Many actions are possible please refer to the BIND manual for more information.

Setting a DNS Firewall Policy

DNS Firewall Policies define the Domains that are allowed to connect, both incoming and outgoing, to your network. The behavior associated with particular threat lists will change the manner in which communications with potentially hostile servers are treated. Creating a policy is covered in Create/Edit DNS Firewall Policy, and for this guide we will only be setting up a very basic Policy.

To set a Policy:

  1. Click on the DNS FW Policy tab towards the top of the window.
  2. Click on + Add Policy.
    The Create DNS Firewall Policy pop-up will appear.
  3. Enter a name for your new policy in the Policy name field.
  4. Type a brief description of your policy in the Description field. This will help you focus on what the policy does.
    For example, "Block Malware, Botnets, and TOR" could help you remember to tick the boxes under Malware, Botnets, and Anonymous proxies.
  5. Determine the type of action you want each ruleset to have enforced. For example to drop traffic from TOR check the box next to Anonymous Networks and set the Behavior field to DROP.
  6. Locate and tick the boxes next to the groups you want to govern communications with and adjust their behaviors.

  7. If you have defined any custom domains add your custom lists to your DNS firewall policy and click Submit.
    This will add your policy name to the list, and it will appear in your device setup list as an available Policy when you add a device.
     

    Note:

    The policy change will take about 15 minutes before propagating to the device.

    Caution:

    If you have added user-defined lists, but have not added anything to those lists, your Policy will not be added to the main Policies list.

     

Establishing Custom Policies

Custom policies can be considered "Expert mode" due to how fine-tuned they can be made, and how far things can go astray. Custom Policies can be used in conjunction with standard ThreatSTOP policies such as BASIC or ADVANCED. To establish a custom policy there are a few things that must be understood:

  1. Two custom policies on the firewall:
    • Allow
    • Block
  2. Both contain two lists:
    • The list based on the non-custom policies provided by ThreatSTOP linked to the device.
    • The custom list created by you the admin.

    Both are treated equally during processing, this results in a policy of optimal size entries (comprised of IPs and subnets, or Domains).

  3. The order that the lists are processed in is controlled by the admin. A decision should be made, before implementing the firewall policy, as to which set of policies will have priority in the firewall. Placing the custom allow list first will allow any IPs that must be communicated with to pass through the firewall even if there are IPs considered hostile by ThreatSTOP. Placing the allow list after ThreatSTOP's lists may block communication with those IPs, if the IP address is considered hostile by our services. The block lists are slightly more forgiving, and placing their lists in any order will only change which ruleset is blocking communication with the suspected hostile IP.

    Caution:

    The allow list should always be loaded before the block lists when setting up a firewall.

  4. If an existing allow list and block list have been implemented, they should be implemented before the ThreatSTOP policies.
    • The allow list should be combined with the ThreatSTOP allow list as a custom allow list. Adding your allow list as a custom allow list in the ThreatSTOP policies will allow the list to be automatically updated across all of the devices you have protected by ThreatSTOP.
    • If your existing block list is combined with the ThreatSTOP block list policy it will automatically update across all of the devices you have protected by ThreatSTOP.
      • Establishing a policy can take some skill and should only be handled by experienced network administrators. The process through the ThreatSTOP web portal begins in the User-Defined Lists tab.

A maximum of two custom policies (one Allow, and one Deny) may be created.

Adding your Custom List to your Firewall Policy

Adding a Custom List to your Firewall Policy is identical to adding a basic list to your firewall policy, as laid out in Setting a DNS Firewall Policy. The only change is the need to expand User-Defined Lists and User-Defined Domains options on the Block and Allow tabs, and selecting the policies you have just created.

Device Specific Instructions

With your portal configuration completed you'll now be able to successfully setup BIND 9.8+ to act as a DNS Firewall. More instructions can be found in Integrating with an Existing BIND 9.8+ Deployment.