Farsight Security NOD Service Using IXFR
This tutorial documents how to setup BIND with Response Policy Zones using Newly Observed Domain (NOD) data from Farsight Security® Inc. (now a part of DomainTools). Its purpose is to teach the basics of using Response Policy Zones on a single host for instructional purposes; this guide is not intended for production configuration.
Requirements
- Ubuntu 16.04
- root or sudo privileges
- Provisioned for NOD IXFR by Farsight Security
- Firewall:
- Inbound ports (udp & tcp) 53 open to:
- 104.244.13.88, 104.244.14.88
- 2620:11c:f004::88, 2620:11c:f008::88
- Inbound ports (udp & tcp) 53 open to:
- NTP service enabled
- The IP address(es) of the host that will be connecting to Farsight Security
Prerequisites
Start with a clean install of Ubuntu 16.04. For testing purposes a virtual machine with 1 CPU and 1GB of memory would be adequate.
Setup Instructions
Install and configure BIND 9
This tutorial uses BIND as a recursive caching server.
Install BIND 9 (9.10.3)
$ sudo apt-get update
$ sudo apt-get install bind9 bind9utils bind9-doc
Configure BIND to be a recursive caching DNS Server
$ sudo vim /etc/bind/named.conf.local
Add a ACL to allow recursive queries. Choose a CIDR range that makes sense for your organization
acl localnetwork {
192.168.0.0/16;
localhost;
localnets;
};
named.conf.local should look like
//
// Do any local configuration here
//
acl localnetwork {
192.168.0.0/16;
localhost;
localnets;
};
Add the following within options directive
$ sudo vim /etc/bind/named.conf.options
recursion yes;
allow-query { localnetwork; };
named.conf.options should look like
options {
directory "/var/cache/bind";
recursion yes;
allow-query { localnetwork; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Check the syntax of the BIND configuration files
The shell prompt will return immediately without any output if there are no errors.
sudo named-checkconf
Restart BIND
sudo service bind9 restart
Verify BIND is listening on localhost and is working as a caching server
; <> DiG 9.10.3-P4-Ubuntu <> @localhost www.farsightsecurity.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50461
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.farsightsecurity.com. IN A
;; ANSWER SECTION:
www.farsightsecurity.com. 3527 IN A 104.244.13.104
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 12 14:27:56 UTC 2016
;; MSG SIZE rcvd: 69
Create the named.fsi-FSI-xxxx-x.conf file
Using the configuration files sent to you by Farsight, create the
named.fsi-FSI-xxxx-x.conf file in /etc/bind/
sudo vim /etc/bind/named.fsi-FSI-xxxx-x.conf
key "FSI-xxxx-x-key" {
algorithm HMAC-SHA512;
secret "xxxxxxxxx";
};
masters "fsi-ixfr-masters" {
104.244.13.88 key "FSI-xxxx-x-key";
104.244.14.88 key "FSI-xxx-x-key";
2620:11c:f004::88 key "FSI-xxxx-x-key";
2620:11c:f008::88 key "FSI-xxxx-x-key";
};
Add a response-policy configuration to named.conf.options
$ sudo vim /etc/bind/named.conf.options
options {
response-policy {
zone "24h.rpz.dns-nod.net";
};
};
Configure the NOD 24h zone in named.conf.local
$ sudo vim /etc/bind/named.conf.local
include "/etc/bind/named.fsi-FSI-xxxx-x.conf";
zone "24h.rpz.dns-nod.net" {
type slave;
file "24h.rpz.dns-nod.net.zone";
masters { fsi-ixfr-masters; };
allow-query {localhost;};
allow-transfer {none;};
};
Check the syntax of the BIND configuration files
Check the syntax of the BIND configuration files. The shell prompt will return immediately without any output if there are no errors.
$ sudo named-checkconf
Restart Bind
$ sudo service bind9 restart
Verification
Search through the syslog file looking for successful zone transfers for the NOD 24h zone file:
$ grep '24h.rpz.dns-nod.net/IN' /var/log/syslog
Dec 12 14:39:34 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN:
Transfer started.
Dec 12 14:39:34 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
from 104.244.13.88#53: connected using 172.30.0.167#45545
Dec 12 14:39:36 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN:
transferred serial 1481553555: TSIG 'fsi-0410-67-key'
Dec 12 14:39:36 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
from 104.244.13.88#53: Transfer status: success
Dec 12 14:39:36 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
from 104.244.13.88#53: Transfer completed: 273 messages, 366059 records,
7933511 bytes, 2.337 secs (3394741 bytes/sec)
Dec 12 14:39:36 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN: sending
notifies (serial 1481553555)
Dec 12 14:39:39 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN: notify
from 104.244.13.88#57745: zone is up to date
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN: notify
from 104.244.13.88#57745: serial 1481553575
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN: Transfer
started.
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
from 104.244.13.88#53: connected using 172.30.0.167#53262
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN:
transferred serial 1481553575: TSIG 'fsi-0410-67-key'
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
from 104.244.13.88#53: Transfer status: success
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
from 104.244.13.88#53: Transfer completed: 1 messages, 80 records, 1891 bytes,
0.073 secs (25904 bytes/sec)
Lookup the name test.dns-nod.net using the localhost as the resolver to see if you get a status “NXDOMAIN”.
$ dig @localhost test.dns-nod.net
; <> DiG 9.10.3-P4-Ubuntu <> @localhost test.dns-nod.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10874
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.dns-nod.net. IN A
;; ADDITIONAL SECTION:
24h.rpz.dns-nod.net. 300 IN SOA a.rpz-ns.dns-nod.net.
nod-admin.fsi.io. 1481553736 600 300 86400 300
;; Query time: 374 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 12 14:42:47 UTC 2016
;; MSG SIZE rcvd: 114