Page tree

Contents

Overview

The purpose of this document is to describe the integration process for ThreatSTOP DNS Firewall into an existing BIND 9.8+ deployment. This document is written under the condition that you have an existing VM deployed with BIND 9.8+ installed and are looking to add ThreatSTOP protection to your existing network infrastructure.

Deploying and Configuring BIND

The following procedure will provide a default install of BIND (BIND 9.8.2 and greater). This has been shown to work in testing by ThreatSTOP resources, and should provide a working installation in your environment. After successfully deploying the installation and configuring logging you should be able to simply use this box as a drop-in replacement for your existing DNS server, and will automatically receive the ThreatSTOP protection policy you've chosen in the ThreatSTOP portal.

Download and Install BIND

To start we'll need to download and install BIND. To do this:

  1. Login to your administrator account, and elevate your access level (if not already logged in and granted elevated privileges). To do this, login and enter:

    su root

  2. Next we'll need to download and install BIND and it's utilities, this can be done with the command:

    • For Debian based distros (Debian, Ubuntu, etc):

      sudo apt-get install bind9 dnsutils

    • For Red Hat based distros (RHEL, CentOS, etc.):

      yum install bind bind-utils

  3. Next we'll need to enable and start bind with the following command:

    • For Debian based distros (Debian, Ubuntu, etc):

      sudo /usr/sbin/services restart named

    • For Red Hat based distros (RHEL, CentOS, etc.):

      sudo /usr/sbin/systemctl restart named

  4. Then verify that things went according to plan by checking the logs:

    tail /var/log/messages

  5. Check the installed version matches at least 9.8.2 for example:

    /usr/sbin/named -v

    BIND 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4

Create directories and set permissions

To prepare for our incoming zone files we need to make a little room for them in the file system, to do this:

  1. Make a directory for the zone files using the following command

    mkdir /var/named/zones

  2. Set permissions and ownership of the zone directory to BIND

    chown -R named:named /var/named/zones

  3. Make a directory for the named log files using the following command:

    mkdir /var/named/data

  4. Set permissions and ownership for the log file directory:

    chown -R named:named /var/named/data

Edit BIND config files

Next we'll start configuring BIND itself, to do this we'll need a gather a few pieces of information, and drop them into the appropriate places in the configuration file. We'll need:

  • The device's internal IP address. You can gather this with the following command at the command prompt:

    • For Debian based distros (Debian, Ubuntu, etc):

      ifconfig

    • For Red Hat based distros (RHEL, CentOS, etc.):

      ip a

      Note

      CentOS 6.8 uses the ifconfig command to gather network information.

    This will list all available network devices, note the inet address for the interface with which you want your other network devices to communicate.

  • We need the device's external IP address, you can get this using this command from the device:

    curl https://www.threatstop.com/cgi-bin/validip.pl

  • The policy name for your device. Which is provided here for reference, and should also appear in the configuration data below in bold.

    <RPZ Zone name retrieved from device settings>

  • The secret key for your RPZ, this is provided by the ThreatSTOP Support team.

Let's start editing the configuration files to get you up and running:

  1. We need to start by editing /etc/named.conf to match the following:

    Note:

    The 192.0.2.0 address below will need to be replaced with the IP address gathered with the ifconfig command above.

    // ====================
    //
    // named.conf
    //
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    //

    options {
         include "/etc/named.conf.options";
         # listen-on port 53 { 127.0.0.1; };
         // edit for your interface IP
         listen-on { 192.0.2.0; };
         listen-on-v6 port 53 { ::1; };
         directory "/var/named";
         dump-file "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         allow-query { any; };
         recursion yes;
        
         dnssec-enable yes;
         dnssec-validation yes;
        
         /* Path to ISC DLV key */
         bindkeys-file "/etc/named.iscdlv.key";

         managed-keys-directory "/var/named/dynamic";
    };

    zone "." IN {
         type hint;
         file "named.ca";
    };

    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    include "/etc/named.conf.local";

  2. Create /etc/named.conf.options using the command vi /etc/named.conf.options then edit it to match the following:

    // ====================
    response-policy { zone "<RPZ Zone name retrieved from device settings>"; };

  3. Create /etc/named.conf.local using the command vi /etc/named.conf.local and then add the following:

    // ====================
    //
    // Do any local configuration here
    //
    key threatstop-threatstop {
         algorithm hmac-md5;
         secret "< TSIG Key retrieved from device settings>";
    };

    server 192.124.129.51 {
         keys { threatstop-threatstop ; };
    };

    zone "<RPZ Zone name retrieved from device settings>" {
         type slave;
         masters { 192.124.129.51; };
         file "/var/named/zones/<RPZ Zone name retrieved from device settings>";
         allow-query { localhost; trusted_clients; };
         allow-transfer { localhost; };
         allow-notify { none; };
    };

    logging {
         channel normal-log {
              file "/var/named/data/named.log" versions 3 size 1m;
              severity info;
         };
         category default {
              normal-log;
          };
         channel named-rpz {
              file "/var/named/data/rpz.log";
              severity debug;
              print-time yes;
              print-category yes;
              print-severity yes;
         };
         category rpz {
              named-rpz;
         };
    };

    acl trusted_clients {
         10.0.0.0/8;
         172.0.0.0/8;
         206.71.168.3/32;
    };

    Caution:

    The provided TSIG key is only valid for trial accounts and will change for paid accounts.

  4. Set ownership on files:

    chown root:named named.conf.local
    chown root:named named.conf.options

  5. Set named to start on boot:

    chkconfig named on

    Additionally for CentOS and RHEL systems you will need to perform the following step:

  6. setsebool to write the zone file to filesystem:

    setsebool -P named_write_master_zones true

Setting IP Table Exceptions, Logging, and Reporting Setup

Logging and Reporting are system dependent. As such we've had to create specific documentation for each *nix distro that we support.

Testing

To test that your configuration is up and running you'll need to setup a temporary test policy in the ThreatSTOP portal. Any policy added to this list should have the RPZ behavior set to NXDOMAIN or DROP. After setting this:

  1. Go to known good website (i.e., www.google.com) to verify that you are able to connect.
  2. Go to a known bad website (i.e., bad.threatstop.com). Based on your testing policy's settings you should receive a rejection screen (for NXDOMAIN) or have your connection time out (DROP).