Page tree

Contents

Installing BIND 9.8+ on Ubuntu varies slightly between the major revisions of Ubuntu, the following directions cover the versions of Ubuntu supported by ThreatSTOP.

Overview

The purpose of this document is to describe the integration process for ThreatSTOP DNS Firewall into an existing BIND 9.8+ deployment. This document is written under the condition that you have an existing DNS deployment and are looking to add the ThreatSTOP DNS Firewall to your existing network infrastructure. This is done by placing the DNS Firewall between your existing DNS configuration and your external connection. This will allow ThreatSTOP DNS Firewall to guard against hostile connections.

A birds-eye view of the setup procedure is:

  1. Open a ThreatSTOP account if you have not already done so.
    Specify that you are setting up a DNS Firewall in order to receive any needed materials.
  2. In the Device section of the Portal, configure a new device with the following settings:
    1. Manufacturer: DNS Server
    2. Model: BIND 9.8+

    Note:

    More information about setting up Devices in the Portal can be found in the Introduction.

  3. You will then need to configure the rest of the Portal to service a ThreatSTOP DNS Firewall as explained in ThreatSTOP DNS Firewall.
  4. Configure BIND itself to act as a slave server for the zone that contains your policy.
  5. Configure the client machines to be protected to use the ThreatSTOP DNS Firewall for address resolution.

Deploying and Configuring Ubuntu

Ubuntu has developed a standard installation process that works with both of their current deployments. The stock install includes nearly everything we need to get the system up and running including activating Network Time Protocol (NTP) which is needed to ensure synchronization between ThreatSTOP's servers and the DNS Firewall.

Prerequisites

The following will be needed to download and install Ubuntu 14.04 LTS or Unbuntu 16.04 LTS:

  • 1GB disk space on the host system for the Ubuntu ISO
  • Hypervisor capable of creating or importing the Ubuntu ISO (VMware, VirtualBox, or similar)
  • The VM will need to be provided with at least the minimum installation requirements for Ubuntu 14.04 for our example we're using:
    • 2048 MB RAM
    • 10 GB Harddrive space
    • Bridged network connections
  • An open connection to the Internet from your new device

Creating the VM

We'll cover the installation from the point that the computer is booted with the installation disc in the drive/the ISO is loaded into the VM and the VM is started.

  1. Select your setup Language.
  2. Select Install Ubuntu Server.
  3. Select your installation Language.
  4. Select your location.
  5. For Configure the keyboard select No. We'll select this manually.
  6. Select the correct language for your keyboard.
  7. Select the correct layout for your keyboard.
    The initial setup files will be copied to your hard drive.






  8. Select the primary network interface.
  9. Designate a hostname for the system.





  10. Enter the full name of the Administrator for the system.
  11. Adjust the Username for the account if needed.
  12. Provide, and confirm the password for the administrator account.
  13. Optionally encrypt your home directory.

    Note:

    While encrypting your home directory, and later your drive, is not mandatory it may be seen as beneficial from a security standpoint.

  14. Verify that the Time Zone is correct. If it is not select the correct time zone.

    Note:

    This information is used to configure Network Time Protocol (NTP) services automatically. Which will help prevent issues that can appear during zone transfer.

  15. Select the partitioning method you wish to use.
  16. Select the disk to partition.
  17. Write the changes to the disk.
  18. If you chose to encrypt your drive enter an encryption passphrase and verify it.
  19. Accept the default volume size.
  20. Write the changes to the disk.
    If you use a proxy to access the Internet enter the corresponding information.







  21. Agree to Install security upgrades automatically.







  22. Under Software selection check the box next to DNS server. This will save us a little time in patching.

    Note:

    This particular setup method preemptively installs the bind9 and dnsutils packages mentioned in Download and Install BIND under Deploying and Configuring BIND. It's safe to skip steps 1-3 in these sections. Unless this step is skipped.

  23. Install the GRUB Boot Loader to allow the drive to boot.
  24. Remove the disc from the drive (it's likely this will be done automatically for you) and click Continue to reboot into the new system.
  25. Login to the system using the administrator account created during system setup.
  26. Install the latest patches and security updates with the following commands:

    sudo apt-get update

    sudo apt-get dist-upgrade

This will complete your Ubuntu VM deployment and allow you to successfully setup and install the ThreatSTOP DNS firewall solution to your device.

Step-by-step guide

The following steps will walk you through the configuration of BIND to serve you ThreatSTOP DNS Firewall. Note that these steps begin after the account creation process has finished.

In the ThreatSTOP Portal

  1. In the ThreatSTOP portal add a DNS Firewall policy. To do this:
    1. Click on Policies & Lists.
    2. Then on the DNS FW Policy tab.
    3. Select + Add Policy.
    4. Set a Policy name: in the corresponding field.
    5. If you want to change the default behavior of the RPZ Target Lists being used set it in the Default Behavior field.

      Note:

      The available behaviors are:
      NXDOMAIN
      NODATA
      PASSTHRU
      DROP

    6. Select the RPZ Target Lists you want to block. For our example we'll use the BASIC list with the default behavior.
      1. If you want a specific list to be treated differently from other included lists, change the Behavior dropdown to the desired action.

        Caution:

        This dropdown will override the Default Behavior field.

    7. Click on Submit to save your changes.
  2. Click on Devices and then on + Add Device.
    1. Enter a Nickname for the device, this should probably be something descriptive of the device.
    2. Set the Manufacturer and Model to:
      1. Manufacturer: DNS Server
      2. Model: BIND 9.8+
    3. Set the IP Type as defined by your network needs.

      Warning:

      Using a Dynamic IP address is far outside of best practices and is not recommended. Unexpected results can occur if this setting is used.

    4. The IP Address of the device is the external IP address (unsecured side of the firewall). This can be determined by visiting: http://www.threatstop.com/cgi-bin/validip.pl
    5. Select the DNS Firewall policy you defined previously in the Policy drop down

Deploying and Configuring BIND

The following procedure will provide a default install of BIND (BIND 9.8.2 and greater). This has been shown to work in testing by ThreatSTOP resources, and should provide a working installation in your environment. After successfully deploying the installation and configuring logging you should be able to simply use this box as a drop-in replacement for your existing DNS server, and will automatically receive the ThreatSTOP protection policy you've chosen in the ThreatSTOP portal.

Download and Install BIND

To start we'll need to download and install BIND. To do this:

  1. Login to your administrator account, and elevate your access level (if not already logged in and granted elevated privileges). To do this, login and enter:

    su root

  2. Next we'll need to download and install BIND and it's utilities, this can be done with the command:

    • For Debian based distros (Debian, Ubuntu, etc):

      sudo apt-get install bind9 dnsutils

    • For Red Hat based distros (RHEL, CentOS, etc.):

      yum install bind bind-utils

  3. Next we'll need to enable and start bind with the following command:

    • For Debian based distros (Debian, Ubuntu, etc):

      sudo /usr/sbin/services restart named

    • For Red Hat based distros (RHEL, CentOS, etc.):

      sudo /usr/sbin/systemctl restart named

  4. Then verify that things went according to plan by checking the logs:

    tail /var/log/messages

  5. Check the installed version matches at least 9.8.2 for example:

    /usr/sbin/named -v

    BIND 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4

Create directories and set permissions

To prepare for our incoming zone files we need to make a little room for them in the file system, to do this:

  1. Make a directory for the zone files using the following command

    mkdir /var/named/zones

  2. Set permissions and ownership of the zone directory to BIND

    chown -R named:named /var/named/zones

  3. Make a directory for the named log files using the following command:

    mkdir /var/named/data

  4. Set permissions and ownership for the log file directory:

    chown -R named:named /var/named/data

Edit BIND config files

Next we'll start configuring BIND itself, to do this we'll need a gather a few pieces of information, and drop them into the appropriate places in the configuration file. We'll need:

  • The device's internal IP address. You can gather this with the following command at the command prompt:

    • For Debian based distros (Debian, Ubuntu, etc):

      ifconfig

    • For Red Hat based distros (RHEL, CentOS, etc.):

      ip a

      Note

      CentOS 6.8 uses the ifconfig command to gather network information.

    This will list all available network devices, note the inet address for the interface with which you want your other network devices to communicate.

  • We need the device's external IP address, you can get this using this command from the device:

    curl https://www.threatstop.com/cgi-bin/validip.pl

  • The policy name for your device. Which is provided here for reference, and should also appear in the configuration data below in bold.

    <RPZ Zone Name>

  • The secret key for your RPZ, this is provided by the ThreatSTOP Sales team during your sign-up.

Let's start editing the configuration files to get you up and running:

  1. We need to start by editing /etc/named.conf to match the following:

    Note:

    The 192.0.2.0 address below will need to be replaced with the IP address gathered with the ifconfig command above.

    // ====================
    //
    // named.conf
    //
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    //

    options {
         include "/etc/named.conf.options";
         # listen-on port 53 { 127.0.0.1; };
         // edit for your interface IP
         listen-on { 192.0.2.0; };
         listen-on-v6 port 53 { ::1; };
         directory "/var/named";
         dump-file "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         allow-query { any; };
         recursion yes;
        
         dnssec-enable yes;
         dnssec-validation yes;
        
         /* Path to ISC DLV key */
         bindkeys-file "/etc/named.iscdlv.key";

         managed-keys-directory "/var/named/dynamic";
    };

    zone "." IN {
         type hint;
         file "named.ca";
    };

    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    include "/etc/named.conf.local";

  2. Create /etc/named.conf.options using the command vi /etc/named.conf.options then edit it to match the following:

    // ====================
    response-policy { zone "<RPZ Zone Name>"; };

  3. Create /etc/named.conf.local using the command vi /etc/named.conf.local and then add the following:

    // ====================
    //
    // Do any local configuration here
    //
    key threatstop-threatstop {
         algorithm hmac-md5;
         secret "<tsig key>";
    };

    server 192.124.129.51 {
         keys { threatstop-threatstop ; };
    };

    zone "<RPZ Zone Name>" {
         type slave;
         masters { 192.124.129.51; };
         file "/var/named/zones/<RPZ Zone Name>";
         allow-query { localhost; trusted_clients; };
         allow-transfer { localhost; };
         allow-notify { none; };
    };

    logging {
         channel normal-log {
              file "/var/named/data/named.log" versions 3 size 1m;
              severity info;
         };
         category default {
              normal-log;
          };
         channel named-rpz {
              file "/var/named/data/rpz.log";
              severity debug;
              print-time yes;
              print-category yes;
              print-severity yes;
         };
         category rpz {
              named-rpz;
         };
    };

    acl trusted_clients {
         10.0.0.0/8;
         172.0.0.0/8;
         206.71.168.3/32;
    };

    Caution:

    The provided TSIG key is only valid for trial accounts and will change for paid accounts.

  4. Set ownership on files:

    chown root:named named.conf.local
    chown root:named named.conf.options

  5. Set named to start on boot:

    chkconfig named on

  6. setsebool to write the zone file to filesystem:

    setsebool -P named_write_master_zones true

Logging and Restarting the Service

After configuring the BIND server to use ThreatSTOP's Threat Intelligence lists, you can start sending your logs to ThreatSTOP, which will then be used to help re-enforce our community's Threat Intelligence.

Before starting in on this section, certain prerequisites need to be met:

Your system will need to be configured to run logrotate, and must have curl, stat, md5sum, and cut utilities.

Note:

The following packages are available for these utilities on Ubuntu 14.04:

  • curl: sudo apt-get install curl
  • logrotate: sudo apt-get install logrotate

stat, md5sum, and cut are all part of the core Ubuntu 14.04 distribution, and should automatically install with the OS.

After ensuring these programs are present you can start uploading logs back to ThreatSTOP using logrotate to do this:

  1. Change directory to the logrotate.d folder and create a new file called threatstop

    cd /etc/logrotate.d
    sudo vi threatstop

  2. Copy and paste the example below to /etc/logrotate.d/threatstop

    /var/log/named/rpz.log

    {
        rotate 7
        size 100k
        missingok
        notifempty
        delaycompress
        compress
        create 0644 bind
        postrotate
            /usr/sbin/service bind9 restart > /dev/null
            /usr/bin/curl -v -F "upfile=@$1.1" -F "upfile_size=`/usr/bin/stat -c %s $1.1`" -F "md5_client=`/usr/bin/md5sum $1.1|/usr/bin/cut -d' ' -f 1`" -F "fw_ip=<Device IP>" https://www.threatstop.com/cgi-bin/logupload.pl
            #insert command to send to SIEM system
        endscript
    }

    Adjust the value fw_ip to match the IP address entered on the portal. This is typically the external IP provided by https://www.threatstop.com/cgi-bin/validip.pl

    Note:

    The curl solution above assumes the following:

    1. The system has curl, stat, md5sum and cut and they are located at the paths specified
    2. logrotate, rotates logs and the latest rotated log is $1 with ".1" appended. In this example it would be: /var/log/named/rpz.log.1
    3. The user will update the fw_ip value to the actual value for their device
  3. Enter sudo service bind9 reload and press ENTER.

    Note:

    sudo is not required for users logged in with administrative privileges.

Sending Log Information to More Than One Destination

The configuration above will upload the rotated file to ThreatSTOP and–if specified–wherever the second command in the postrotate section sends it. If the data is to be sent to a syslog server however, the process is simplified by adding a second BIND channel in rpz.log as shown in the configuration below:

/etc/bind/named.conf(.local)

logging {
    channel remote_syslog_rpz {
        syslog local4;
        severity debug;
        print-time yes;
    };
    category rpz {
        named-rpz;
        remote_syslog_rpz;
    };
};

Follow this up with forwarding the syslog configuration to the SIEM (based on your setup). For example, with rsyslog:

/etc/rsyslog.d/50-default.conf

local4 @10.100.254.130:514

Testing

To test that your configuration is up and running you'll need to setup a temporary test policy in the ThreatSTOP portal. Any policy added to this list should have the RPZ behavior set to NXDOMAIN or DROP. After setting this:

  1. Go to known good website (i.e., www.google.com) to verify that you are able to connect.
  2. Go to a known bad website (i.e., bad.threatstop.com). Based on your testing policy's settings you should receive a rejection screen (for NXDOMAIN) or have your connection time out (DROP).