This tutorial documents how to setup BIND with Response Policy Zones using Newly Observed Domain (NOD) data from Farsight Security® Inc.. It’s purpose is to teach the basics of using Response Policy Zones on a single host for instructional purposes; this guide is not intended for production configuration.

Requirements

Prerequisites

Start with a clean install of Ubuntu 16.04. For testing purposes a virtual machine with 1 CPU and 1GB of memory would be adequate.

Setup Instructions

Install and configure BIND 9

This tutorial uses BIND as a recursive caching server.

Install BIND 9 (9.10.3)
$ sudo apt-get update
$ sudo apt-get install bind9 bind9utils bind9-doc
Configure BIND to be a recursive caching DNS Server
$ sudo vim /etc/bind/named.conf.local
Add a ACL to allow recursive queries. Choose a CIDR range that makes sense for your organization
acl localnetwork {
 192.168.0.0/16;
 localhost;
 localnets;
};
named.conf.local should look like
//
// Do any local configuration here
//

acl localnetwork {
  192.168.0.0/16;
  localhost;
  localnets;
};
Add the following within options directive
$ sudo vim /etc/bind/named.conf.options
recursion yes;
allow-query { localnetwork; };
named.conf.options should look like
options {
       directory "/var/cache/bind";

       recursion yes;
       allow-query { localnetwork; };

       dnssec-validation auto;

       auth-nxdomain no;    # conform to RFC1035
       listen-on-v6 { any; };
};
Check the syntax of the BIND configuration files

The shell prompt will return immediately without any output if there are no errors.

sudo named-checkconf
Restart BIND
sudo service bind9 restart
Verify BIND is listening on localhost and is working as a caching server
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost www.farsightsecurity.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50461
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.farsightsecurity.com.      IN      A

;; ANSWER SECTION:
www.farsightsecurity.com. 3527  IN      A       104.244.13.104

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 12 14:27:56 UTC 2016
;; MSG SIZE  rcvd: 69
Create the named.fsi-FSI-xxxx-x.conf file

Using the configuration files sent to you by Farsight, create the named.fsi-FSI-xxxx-x.conf file in /etc/bind/

sudo vim /etc/bind/named.fsi-FSI-xxxx-x.conf
key "FSI-xxxx-x-key" {
  algorithm HMAC-SHA512;
  secret "xxxxxxxxx";
};

masters "fsi-ixfr-masters" {
  104.244.13.88 key "FSI-xxxx-x-key";
  104.244.14.88 key "FSI-xxx-x-key";
  2620:11c:f004::88 key "FSI-xxxx-x-key";
  2620:11c:f008::88 key "FSI-xxxx-x-key";
};
Add a response-policy configuration to named.conf.options
$ sudo vim /etc/bind/named.conf.options
options {
   response-policy {
     zone "24h.rpz.dns-nod.net";
   };
};
Configure the NOD 24h zone in named.conf.local
$ sudo vim /etc/bind/named.conf.local
include "/etc/bind/named.fsi-FSI-xxxx-x.conf";

zone "24h.rpz.dns-nod.net" {
   type slave;
   file "24h.rpz.dns-nod.net.zone";
   masters { fsi-ixfr-masters; };
   allow-query {localhost;};
   allow-transfer {none;};
};
Check the syntax of the BIND configuration files

Check the syntax of the BIND configuration files. The shell prompt will return immediately without any output if there are no errors.

$ sudo named-checkconf
Restart Bind
$ sudo service bind9 restart

Verification

Search through the syslog file looking for successful zone transfers for the NOD 24h zone file:

$ grep '24h.rpz.dns-nod.net/IN' /var/log/syslog

Dec 12 14:39:34 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN:
    Transfer started.
Dec 12 14:39:34 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
    from 104.244.13.88#53: connected using 172.30.0.167#45545
Dec 12 14:39:36 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN:
    transferred serial 1481553555: TSIG 'fsi-0410-67-key'
Dec 12 14:39:36 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
    from 104.244.13.88#53: Transfer status: success
Dec 12 14:39:36 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
    from 104.244.13.88#53: Transfer completed: 273 messages, 366059 records,
    7933511 bytes, 2.337 secs (3394741 bytes/sec)
Dec 12 14:39:36 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN: sending
    notifies (serial 1481553555)
Dec 12 14:39:39 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN: notify
    from 104.244.13.88#57745: zone is up to date
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN: notify
    from 104.244.13.88#57745: serial 1481553575
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN: Transfer
    started.
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
    from 104.244.13.88#53: connected using 172.30.0.167#53262
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN:
    transferred serial 1481553575: TSIG 'fsi-0410-67-key'
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
    from 104.244.13.88#53: Transfer status: success
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
    from 104.244.13.88#53: Transfer completed: 1 messages, 80 records, 1891 bytes,
        0.073 secs (25904 bytes/sec)

Lookup the name test.dns-nod.net using the localhost as the resolver to see if you get a status “NXDOMAIN”.

$ dig @localhost test.dns-nod.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost test.dns-nod.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10874
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.dns-nod.net.              IN      A

;; ADDITIONAL SECTION:
24h.rpz.dns-nod.net.    300     IN      SOA     a.rpz-ns.dns-nod.net.
    nod-admin.fsi.io. 1481553736 600 300 86400 300

;; Query time: 374 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 12 14:42:47 UTC 2016
;; MSG SIZE  rcvd: 114

About Farsight Security

Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.