User Guides

Farsight Security NOD Service Using IXFR

This tutorial documents how to setup BIND with Response Policy Zones using Newly Observed Domain (NOD) data from Farsight Security® Inc. (now a part of DomainTools). Its purpose is to teach the basics of using Response Policy Zones on a single host for instructional purposes; this guide is not intended for production configuration.

Requirements

  • Ubuntu 16.04
  • root or sudo privileges
  • Provisioned for NOD IXFR by Farsight Security
  • Firewall:
    • Inbound ports (udp & tcp) 53 open to:
      • 104.244.13.88, 104.244.14.88
      • 2620:11c:f004::88, 2620:11c:f008::88
  • NTP service enabled
  • The IP address(es) of the host that will be connecting to Farsight Security

Prerequisites

Start with a clean install of Ubuntu 16.04. For testing purposes a virtual machine with 1 CPU and 1GB of memory would be adequate.

Setup Instructions

Install and configure BIND 9

This tutorial uses BIND as a recursive caching server.

Install BIND 9 (9.10.3)

$ sudo apt-get update
$ sudo apt-get install bind9 bind9utils bind9-doc

Configure BIND to be a recursive caching DNS Server

$ sudo vim /etc/bind/named.conf.local

Add a ACL to allow recursive queries. Choose a CIDR range that makes sense for your organization

acl localnetwork {
 192.168.0.0/16;
 localhost;
 localnets;
};

named.conf.local should look like

//
// Do any local configuration here
//

acl localnetwork {
  192.168.0.0/16;
  localhost;
  localnets;
};

Add the following within options directive

$ sudo vim /etc/bind/named.conf.options
recursion yes;
allow-query { localnetwork; };

named.conf.options should look like

options {
       directory "/var/cache/bind";

       recursion yes;
       allow-query { localnetwork; };

       dnssec-validation auto;

       auth-nxdomain no;    # conform to RFC1035
       listen-on-v6 { any; };
};

Check the syntax of the BIND configuration files

The shell prompt will return immediately without any output if there are no errors.

sudo named-checkconf

Restart BIND

sudo service bind9 restart

Verify BIND is listening on localhost and is working as a caching server

; <> DiG 9.10.3-P4-Ubuntu <> @localhost www.farsightsecurity.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50461
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.farsightsecurity.com.      IN      A

;; ANSWER SECTION:
www.farsightsecurity.com. 3527  IN      A       104.244.13.104

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 12 14:27:56 UTC 2016
;; MSG SIZE  rcvd: 69

Create the named.fsi-FSI-xxxx-x.conf file

Using the configuration files sent to you by Farsight, create the named.fsi-FSI-xxxx-x.conf file in /etc/bind/

sudo vim /etc/bind/named.fsi-FSI-xxxx-x.conf
key "FSI-xxxx-x-key" {
  algorithm HMAC-SHA512;
  secret "xxxxxxxxx";
};

masters "fsi-ixfr-masters" {
  104.244.13.88 key "FSI-xxxx-x-key";
  104.244.14.88 key "FSI-xxx-x-key";
  2620:11c:f004::88 key "FSI-xxxx-x-key";
  2620:11c:f008::88 key "FSI-xxxx-x-key";
};

Add a response-policy configuration to named.conf.options

$ sudo vim /etc/bind/named.conf.options
options {
   response-policy {
     zone "24h.rpz.dns-nod.net";
   };
};

Configure the NOD 24h zone in named.conf.local

$ sudo vim /etc/bind/named.conf.local
include "/etc/bind/named.fsi-FSI-xxxx-x.conf";

zone "24h.rpz.dns-nod.net" {
   type slave;
   file "24h.rpz.dns-nod.net.zone";
   masters { fsi-ixfr-masters; };
   allow-query {localhost;};
   allow-transfer {none;};
};

Check the syntax of the BIND configuration files

Check the syntax of the BIND configuration files. The shell prompt will return immediately without any output if there are no errors.

$ sudo named-checkconf

Restart Bind

$ sudo service bind9 restart

Verification

Search through the syslog file looking for successful zone transfers for the NOD 24h zone file:

$ grep '24h.rpz.dns-nod.net/IN' /var/log/syslog

Dec 12 14:39:34 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN:
    Transfer started.
Dec 12 14:39:34 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
    from 104.244.13.88#53: connected using 172.30.0.167#45545
Dec 12 14:39:36 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN:
    transferred serial 1481553555: TSIG 'fsi-0410-67-key'
Dec 12 14:39:36 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
    from 104.244.13.88#53: Transfer status: success
Dec 12 14:39:36 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
    from 104.244.13.88#53: Transfer completed: 273 messages, 366059 records,
    7933511 bytes, 2.337 secs (3394741 bytes/sec)
Dec 12 14:39:36 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN: sending
    notifies (serial 1481553555)
Dec 12 14:39:39 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN: notify
    from 104.244.13.88#57745: zone is up to date
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN: notify
    from 104.244.13.88#57745: serial 1481553575
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN: Transfer
    started.
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
    from 104.244.13.88#53: connected using 172.30.0.167#53262
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: zone 24h.rpz.dns-nod.net/IN:
    transferred serial 1481553575: TSIG 'fsi-0410-67-key'
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
    from 104.244.13.88#53: Transfer status: success
Dec 12 14:39:50 ip-172-30-0-167 named[18893]: transfer of '24h.rpz.dns-nod.net/IN'
    from 104.244.13.88#53: Transfer completed: 1 messages, 80 records, 1891 bytes,
        0.073 secs (25904 bytes/sec)

Lookup the name test.dns-nod.net using the localhost as the resolver to see if you get a status “NXDOMAIN”.

$ dig @localhost test.dns-nod.net

; <> DiG 9.10.3-P4-Ubuntu <> @localhost test.dns-nod.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10874
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.dns-nod.net.              IN      A

;; ADDITIONAL SECTION:
24h.rpz.dns-nod.net.    300     IN      SOA     a.rpz-ns.dns-nod.net.
    nod-admin.fsi.io. 1481553736 600 300 86400 300

;; Query time: 374 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 12 14:42:47 UTC 2016
;; MSG SIZE  rcvd: 114