Manual Chapter : Configuring DNS Response Policy Zones

Applies To:

Show Versions Show Versions

BIG-IP GTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP LTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Configuring DNS Response Policy Zones

Overview: DNS response policy zones and the BIG-IP system

The BIG-IP® system can utilize a domain name service (DNS) response policy zone (RPZ) as a firewall mechanism. An RPZ is a zone that contains a list of known malicious Internet domains. The list includes a resource record set (RRset) for each malicious domain. Each RRset includes the names of the malicious domain and any subdomains of the domain.

When the BIG-IP system receives a DNS query for a domain that is on the malicious domain list of the RPZ, the system responds in one of two ways based on your configuration. You can configure the system to return an NXDOMAIN record that indicates that the domain does not exist.

BIG-IP returns NXDOMAIN response to DNS query for malicious domain

Alternatively, you can configure the system to return the response that directs the user to a walled garden.

BIG-IP forwards DNS query for malicious domain to walled garden

About creating an RPZ using ZoneRunner

There are a number of vendors that host response policy zones (RPZs). The BIG-IP® system supports RPZ vendors. F5® has tested the BIG-IP system with the vendors Spamhaus (http://www.spamhaus.org/organization/dnsblusage/) and SURBL (http://www.surbl.org/df). If you do not want to purchase a subscription from a vendor, you can use ZoneRunner® on the BIG-IP system to create a custom RPZ.
Note: ZoneRunner is available only with a BIG-IP GTM license.

Task summary

Creating a custom RPZ using ZoneRunner

Determine the host name and IP address of the BIG-IP® system on which you are configuring the RPZ.
Note: These steps can be performed only on a BIG-IP system that is licensed for GTM™.
You can create your own RPZ when you do not want to subscribe to an RPZ vendor.
  1. On the Main tab, click DNS > Zones > ZoneRunner > Zone List .
    The Zone List screen opens.
  2. Click Create.
    The New Zone screen opens.
  3. From the View Name list, select external.
    The external view is a default view to which you can assign zones.
  4. In the Zone Name field, type a name for the zone file.
    For example, to replicate the format of Spamhaus and SURBL DSN RPZ names, type rpz.myblacklist.org
  5. From the Zone Type list, select Master.
  6. Clear the Zone File Name field, and type the zone file name.
    db.external.rpz.blacklist.org
  7. In the Options field, add an also-notify statement to ensure that BIND notifies DNS Express when the zone is updated; for example: also-notify { ::1 port 5353; };
  8. In the SOA Record section, type values for the record fields:
    1. In the TTL field, type the default time-to-live (TTL) for the records in the zone.
    2. In the Master Server field, type the name of the BIG-IP GTM on which you are configuring this zone.
  9. In the NS Record section, type values for the record fields:
    1. In the TTL field, type the time-to-live (TTL) for the nameserver record.
    2. In the NameServer field, type the name of the BIG-IP GTM on which you are configuring this zone.
  10. Click Finished.
Add resource records that represent known malicious domains to your custom RPZ.

Adding resource records to a custom RPZ

Determine the names of the known malicious domain names that you want to include in your custom DNS response policy zone (RPZ).
Note: These steps can be performed only on a BIG-IP® system that is licensed for GTM™.

For each malicious domain that you want to add your custom RPZ, create a resource record for the domain. Additionally, you can add a wildcard resource record to represent all subdomains of the malicious domain.

  1. On the Main tab, click DNS > Zones > ZoneRunner > Zone List .
    The Zone List screen opens.
  2. Click the name of a custom RPZ to which you want to add malicious zone names.
    The Zone Properties screen opens.
  3. Click Add Resource Record.
    The New Resource Record screen opens.
  4. In the Name field, type the name of the malicious domain in front of the RPZ zone name that displays: [zone_name].rpz.myblacklist.org..
    maliciouszone.com.rpz.myblacklist.org. for the domain name or *.maliciouszone.com.rpz.myblacklist.org. for the subdomains.
  5. In the TTL field, type the time-to-live (TTL) for the CNAME record.
  6. From the Type list, select CNAME.
  7. In the CNAME field, type .
  8. Click Finished.
  9. Create additional resource records for each malicious domain that you want to include in your customer RPZ. Remember to create a resource record for the domain and a resource record for the subdomains.
You can now implement your RPZ on the BIG-IP system or on an external name server.

About configuring the BIG-IP system to use an RPZ as a DNS firewall

With an RPZ configuration, the BIG-IP® system filters DNS queries for domains that are known to be malicious and returns custom responses that direct those queries away from the malicious domain.

Task summary

Optional: Adding a TSIG key for the server that hosts the RPZ

Before adding a TSIG key for a DNS server that hosts an RPZ:

  • Ensure that the DNS server is configured to allow the BIG-IP® system to perform zone transfers.
  • Ensure that the time on the systems that use TSIG keys are synchronized.
  • Obtain the TSIG key for each DNS server.

Add a TSIG key to the BIG-IP system configuration, when you want to validate zone transfer communications between DNS Express® and a DNS server hosting an RPZ.

  1. On the Main tab, click DNS > Delivery > Keys > TSIG Key List .
    The TSIG Key List screen opens.
  2. Click Create.
    The New TSIG Key screen opens.
  3. In the Name field, type the name of the TSIG key.
  4. From the Algorithm list, select the algorithm that was used to generate the key.
  5. In the Secret field, type the TSIG key secret.
  6. Click Finished.
Add the TSIG key to the DNS nameserver that represents the RPZ on the BIG-IP system.

Adding a nameserver object for the server that hosts the RPZ

Obtain the IP address of the authoritative DNS server that hosts the DNS response policy zone (RPZ).
When you want to transfer an RPZ from an authoritative DNS server into the DNS Express™ engine, add a nameserver object that represents the server that hosts the zone.
  1. On the Main tab, click DNS > Delivery > Nameservers .
    The Nameservers List screen opens.
  2. Click Create.
    The New Nameserver screen opens.
  3. In the Name field, type a name for the authoritative DNS server.
  4. In the Address field, type the IP address on which the DNS server listens for DNS messages.
    If the RPZ is hosted on BIND on the BIG-IP system, use the name localhost and the default Address 127.0.0.1 and Service Port 53.
  5. From the TSIG Key list, select the TSIG key that matches the TSIG key on this DNS server.
    The BIG-IP system uses this TSIG key to sign zone transfer requests to the DNS server hosting the zone.
  6. Click Finished.
Create a DNS Express zone and add the nameserver object to the zone.

Creating an RPZ DNS Express zone

Before you create the DNS Express zone:
  • Ensure that the authoritative DNS server that currently hosts the DNS response policy zone (RPZ) is configured to allow zone transfers to the BIG-IP system.
  • Ensure a nameserver object that represents that authoritative DNS server exists in the BIG-IP system configuration.
  • Determine the name you want to use for the DNS Express zone. The zone name must match the zone name on the authoritative DNS server exactly.
    Note: Zone names are case insensitive.
Create a DNS Express zone on the BIG-IP® system when you want to transfer an RPZ into DNS Express.
  1. On the Main tab, click DNS > Zones .
    The Zone List screen opens.
  2. Click Create.
    The New Zone screen opens.
  3. In the Name field, type the name of the DNS zone.
    The name must begin and end with a letter and contain only letters, numbers, and the period and hyphen (-) characters.
  4. In the DNS Express area, from the Server list, select the authoritative primary DNS server that currently hosts the zone.
    Note: The DNS Express engine requests zone transfers from this server.
  5. Select the Response Policy check box.
  6. Click Finished.

Creating a DNS cache

Ensure that the global DNS settings are configured based on your network architecture.
Create a DNS cache on the BIG-IP® system when you want to utilize an RPZ to protect your network from known malicious domains.
  1. On the Main tab, click DNS > Caches > Cache List .
    The DNS Cache List screen opens.
  2. Click Create.
    The New DNS Cache screen opens.
  3. In the Name field, type a name for the cache.
  4. From the Resolver Type list, select one of three types:
    Option Description
    Option Description
    Resolver Resolves a DNS request and stores the response in the DNS cache.
    Validating Resolver Resolves a DNS request, verifies the response using a DNSSEC key, and stores the response in the DNS cache.
    Transparent (None) Sends a DNS request to a DNS server for resolution, and stores the response in the DNS cache.
  5. Click Finished.

Adding a local zone to represent a walled garden

Ensure that a DNS cache with which you are implementing the RPZ is configured on the BIG-IP® system.

Obtain the resource records for the walled garden zone on your network.

When you want the BIG-IP system to redirect DNS queries for known malicious domains to a specific domain, add a local zone that represents a walled garden on your network to the DNS cache you will use to implement an RPZ.
  1. On the Main tab, click DNS > Caches > Cache List .
    The DNS Cache List screen opens.
  2. Click the name of the cache you want to modify.
    The properties screen opens.
  3. On the menu bar, click Local Zones.
    The Local Zones screen opens.
  4. Click the Add button.
  5. In the Name field, type the domain name of the walled garden on your network.
    Note: The domain you enter must be the exact name you want to use for the walled garden. Ensure that you use a zone name that does not match any other resources on your network, for example, walledgarden.siterequest.com.
  6. From the Type list, select Static.
  7. In the Records area, specify a resource record to identify the local zone, including domain name, type, class, TTL, and record data, separated by spaces, and then click Add.
    For example, if the local zone name is walledgarden.siterequest.com, then this is an example of an A record entry: walledgarden.siterequest.com. IN A 10.10.10.124, and this is an example of a AAAA record entry: walledgarden.siterequest.com. IN AAAA 2002:0:1:12:123:c:cd:cdf.
  8. Click Finished.

Adding an RPZ to a DNS cache

If you want the BIG-IP® system to redirect DNS queries for known malicious domains to a specific location, ensure that you have associated a local zone that represents the RPZ with the DNS cache.

Add an RPZ to a DNS cache on the BIG-IP® system when you want to protect your network from known malicious domains.
  1. On the Main tab, click DNS > Caches > Cache List .
    The DNS Cache List screen opens.
  2. Click the name of the cache you just created.
    The properties screen opens.
  3. On the menu bar, click Response Policy Zones.
    The Response Policy Zones screen opens.
  4. Click the Add button.
  5. From the Zone list, select an RPZ.
  6. From the Action list, select an action:
    Option Description
    Option Description
    NXDOMAIN Resolves a DNS query for a malicious domain found in the RPZ with an NXDOMAIN response, which states that the domain does not exist.
    walled-garden Resolves a DNS query for a malicious domain found in the RPZ by providing an A or AAAA record response, which redirects the query to a known host.
  7. If you selected the type Walled Garden, from the Walled Garden IP list, select the local zone that represents the walled garden on your network.
  8. Click Finished.

Staging the RPZ on your network

Ensure that a DNS cache configured with an RPZ exists on the system.
When you want to test how using an RPZ affects your network environment, modify the RPZ by enabling the Logs and Stats Only setting.
  1. On the Main tab, click DNS > Caches > Cache List .
    The DNS Cache List screen opens.
  2. Click the name of the cache you want to modify.
    The properties screen opens.
  3. On the menu bar, click Response Policy Zones.
    The Response Policy Zones screen opens.
  4. Click the name of the RPZ you want to modify.
  5. Select the Logs and Stats Only check box.
    When checked, queries that match a malicious domain in the RPZ list are logged and statistics are created; however, RPZ policies are not enforced. That is, when a DNS query matches a malicious domain in the RPZ list, the system does not return an NXDOMAIN response or redirect the query to a walled garden.
    Warning:

    System performance is affected even when Logs and Stats Only is selected. This is because the system still performs RPZ lookups.

  6. Click Finished.

Creating a custom DNS profile for DNS caching

Ensure that at least one DNS cache exists on the BIG-IP® system.
You can create a custom DNS profile to configure the BIG-IP system to cache responses to DNS queries.
  1. On the Main tab, click Local Traffic > Profiles > Services > DNS .
    The DNS profile list screen opens.
  2. Click Create.
    The New DNS Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. In the General Properties area, from the Parent Profile list, accept the default dns profile.
  5. Select the Custom check box.
  6. In the DNS Features area, from the DNS Cache list, select Enabled.
    When you enable the DNS Cache option, you must also select a DNS cache from the DNS Cache Name list.
  7. In the DNS Features area, from the DNS Cache Name list, select the DNS cache that you want to associate with this profile.
    You can associate a DNS cache with a profile, even when the DNS Cache option, is Disabled.
  8. Click Finished.

Creating listeners to identify DNS queries

Create listeners to identify the DNS queries that DNS Express handles. When DNS Express® is only answering DNS queries, only two listeners are required: one with an IPv4 address that handles UDP traffic and one with an IPv6 address that handles UDP traffic.

However, the best practice is to create four listeners, which allows DNS Express to handle zone transfers, should you decide to use this feature. DNS zone transfers use TCP port 53. With this configuration, you create one listener with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that handles TCP traffic. You also create one listener with an IPv6 address that handles UDP traffic, and one with the same IPv6 address that handles TCP traffic.

Tip: If you have multiple BIG-IP® GTM™ systems in a device group, perform these steps on only one system.
Note: These steps apply only to GTM-provisioned systems.
  1. On the Main tab, click DNS > Delivery > Listeners .
    The Listeners List screen opens.
  2. Click Create.
    The Listeners properties screen opens.
  3. In the Name field, type a unique name for the listener.
  4. For the Destination setting, in the Address field, type an IPv4 address on which the BIG-IP system listens for DNS queries.
  5. From the Listener list, select Advanced.
  6. Optional: If you are using SNATs on your network, from the Source Address Translation list, select SNAT.
  7. Optional: If you are using NATs on your network, for the Address Translation setting, select the Enabled check box.
  8. Optional: If you are using port translation on your network, for the Port Translation setting, select the Enabled check box.
  9. In the Service area, from the Protocol list, select UDP.
  10. In the Service area, from the DNS Profile list, select either dns or a custom DNS profile configured for DNS Express.
  11. Click Finished.
Create another listener with the same IPv4 address and configuration, but select TCP from the Protocol list. Then, create two more listeners, configuring both with the same IPv6 address, but one with the UDP protocol and one with the TCP protocol.

Creating virtual servers to process DNS queries

Create virtual servers to process the DNS queries that DNS Express handles. When DNS Express is only answering DNS queries, only two virtual servers are required: one with an IPv4 address that handles UDP traffic and one with an IPv6 address that handles UDP traffic.

However, the best practice is to create four listeners, which allows DNS Express to handle zone transfers, should you decide to use this feature. DNS zone transfers use TCP port 53. With this configuration, you create one virtual server with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that handles TCP traffic. You also create one virtual server with an IPv6 address that handles UDP traffic, and one with the same IPv6 address that handles TCP traffic.

Note: These steps apply only to LTM®-provisioned systems.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: The IP address for this field needs to be on the same subnet as the external self-IP.
  5. In the Service Port field, type 53.
  6. From the Protocol list, select UDP.
  7. Optional: If you are using SNATs on your network, from the Source Address Translation list, select SNAT.
  8. Optional: From the SNAT pool list, select the name of an existing SNAT pool.
  9. From the Configuration list, select Advanced.
  10. From the DNS Profile list, select either dns or the custom DNS profile you created for DNS Express.
  11. Click Finished.
Create another virtual server with the same IPv4 address and configuration, but select TCP from the Protocol list. Then, create two more virtual servers, configuring both with the same IPv6 address, but one with the UDP protocol and one with the TCP protocol.

Viewing DNS zone statistics

You can view information about DNS zones.

  1. On the Main tab, click Statistics > Module Statistics > DNS > Zones .
    The Zones statistics screen opens.
  2. From the Statistics Type list, select Zones.
    Information displays about the traffic handled by the zones in the list.
  3. In the Details column for a zone, click View.
    Read the online help for an explanation of the statistics.

Viewing DNS cache statistics

Ensure that you have created a DNS cache and a DNS profile and have assigned the profile to either an LTM® virtual server or a GTM™ listener.
You can view DNS cache statistics to determine how well a specific cache on the BIG-IP® system is performing.
  1. On the Main tab, click Statistics > Module Statistics > DNS > Caches .
    The DNS Caches Status Summary screen opens.
  2. From the Statistics Type list, select Caches.
  3. In the Details column for a cache, click View to display detailed information about the cache.
  4. To return to the DNS Cache Statistics screen, click the Back button.

About configuring the BIG-IP system as an RPZ distribution point

You can configure an RPZ on the BIG-IP® system and allow other nameservers to perform zone transfers of the RPZ.
Warning: DNS Express® supports only full zone transfers (AXFRs); therefore, transferring an RPZ from the BIG-IP system to another nameserver creates additional traffic on your internal network.

Task summary

Configuring the BIG-IP system as a distribution point for an RPZ

Ensure that you have created a DNS Express zone for the RPZ.
Enable the DNS Express zone for the RPZ to be a distribution point on your network to allow other nameservers to perform zone transfers of the RPZ.
  1. On the Main tab, click DNS > Zones .
    The Zone List screen opens.
  2. Click the name of the zone you want to modify.
  3. In the Zone Transfer Clients area, move the nameservers that can initiate zone transfers from the Available list to the Active list.
  4. Optional: From the TSIG Key list, select the TSIG key you want the BIG-IP system to use to validate zone transfer traffic.
  5. Click Update.

Enabling the BIG-IP system to respond to zone transfer requests

To enable the BIG-IP® system to respond to zone transfer requests for an RPZ zone, create a custom DNS profile.
  1. On the Main tab, click DNS > Delivery > Profiles > DNS .
    The DNS profile list screen opens.
  2. Click Create.
    The New DNS Profile screen opens.
  3. In the General Properties area, name the profile dns_zxfr.
  4. Select the Custom check box.
  5. In the DNS Traffic area, from the Zone Transfer list, select Enabled.
  6. Click Finished.

Creating listeners to handle zone transfer requests for an RPZ

Determine which DNS nameservers will make zone transfer requests for an RPZ.

Create listeners to alert the BIG-IP® system to zone transfer requests for an RPZ.

Note: DNS zone transfers use TCP port 53.
Note: This task applies only to GTM™-provisioned systems.
  1. On the Main tab, click DNS > Delivery > Listeners .
    The Listeners List screen opens.
  2. Click Create.
    The Listeners properties screen opens.
  3. In the Name field, type a unique name for the listener.
  4. For the Destination setting, in the Address field, type the IPv4 address on which the BIG-IP system listens for DNS zone transfer requests for a zone hosted on pool of DNS servers.
  5. From the Listener list, select Advanced.
  6. From the VLAN Traffic list, select All VLANs.
  7. Optional: If you are using SNATs on your network, from the Source Address Translation list, select SNAT.
  8. Optional: If you are using NATs on your network, for the Address Translation setting, select the Enabled check box.
  9. Optional: If you are using port translation on your network, for the Port Translation setting, select the Enabled check box.
  10. In the Service area, from the Protocol list, select TCP.
  11. In the Service area, from the DNS Profile list, select dns_zxfr (the custom profile you created to enable the BIG-IP system to process zone transfer requests).
  12. Click Repeat.
  13. Create another listener with the same settings, except using a different name and an IPv6 address.
  14. Click Finished.

Creating virtual servers to handle zone transfer requests for an RPZ

Determine which DNS nameservers will make zone transfer requests for an RPZ.

Create virtual servers to alert the BIG-IP system to zone transfer requests for a RPZ.

Note: DNS zone transfers use TCP port 53.
Note: This task applies only to LTM®-provisioned systems.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: The IP address for this field needs to be on the same subnet as the external self-IP.
  5. In the Service Port field, type 53.
  6. From the Protocol list, select UDP.
  7. Optional: If you are using SNATs on your network, from the Source Address Translation list, select SNAT.
  8. Optional: From the SNAT pool list, select the name of an existing SNAT pool.
  9. From the Configuration list, select Advanced.
  10. From the DNS Profile list, select the custom DNS profile you created.
  11. Click Finished.
Create another virtual server with the TCP protocol, but use an IPv6 address and configuration.