PowerDNS on Ubuntu

Overview

This document describes the integration process of the ThreatSTOP DNS Firewall with a PowerDNS DNS server running on Ubuntu.

A birds-eye view of the setup procedure is:

• Open a ThreatSTOP account if you have not already done so.
• Using the Portal, configure a new device - Manufacturer: DNS Server and Model: PowerDNS 4.5+ (Ubuntu).
• Installing Powerdns Recursor on Ubuntu if you don’t have a running instance already.
• Configure PowerDNS act as a slave server for the zone that contains your policy using LUA.
• Optionnally, install the provided service to collect and upload logs.
• Configure the client machines to be protected to use the ThreatSTOP DNS Firewall for address resolution.

Compatibility

Supported Operating Systems

• Any OS that can run PowerDNS Recursor (see packages here) can load ThreatSTOP’s RPZ.
• Log collection and upload to ThreatSTOP servers requires a ThreatSTOP-provided module currently available for Ubuntu 18.04 and Ubuntu 20.04. Please contact support@threatstop.com if you would like to upload logs on a different OS.

Supported PowerDNS Servers

• PowerDNS Recursor 4.5.0 or later

Limitations

• PowerDNS Recursor 4.5 or later is required for parsing of RPZ triggers (the domain or DNS that caused a DNS lookup to be blocked) and RPZ actions (the DNS action performed in response to the policy hit) in logs and ThreatSTOP reports.
• Currently, PowerDNS doesn’t log RPZ details if the policy action is to drop the request (i.e. to not answer the client).
• PowerDNS doesn’t support notifcations for updates of RPZ zones (see https://github.com/PowerDNS/pdns/issues/5284).

Device Settings

You will need the following settings to complete the installation. You can retrieve the RPZ Zone name, TSIG Key name, TSIG Key secret and Device ID via the settings of the device in the Admin Portal.

Prerequisites

System

The ThreatSTOP PowerDNS-based DNS Firewall on Ubuntu requires a system that meets at least these specifications.

• 2 GB of RAM.
• 10 GB of disk space.
• Time synchronized (e.g. using NTP) - policy zones will not download if the server time is not correct.
• Python 3 for logging.

You will need root access on the Ubuntu system.

Connectivity

To retrieve its configuration and policy, and to upload log data, the machine needs the following connectivity:

• DNS over TCP
  • IP Range: 192.124.129.0/24
  • Outbound TCP port 53 or 5353
• HTTPS
  • Hostname: logs.threatstop.com
  • IP range: 204.68.99.208/28
  • Outbound TCP port 443

PowerDNS Installation

The PowerDNS installation documentation is available here. This describes the installation of version 4.5, the first version which includes full RPZ logging capabilities. Using newer version than 4.5 should not cause issues. Repositories for other PowerDNS versions and other operating systems are documented here.

Ubuntu 18.04

• Create /etc/apt/sources.list.d/powerdns.list with this content

  deb [arch=amd64] http://repo.powerdns.com/ubuntu bionic-rec-45 main
  

• Run the following commands

  curl https://repo.powerdns.com/FD380FBB-pub.asc | sudo apt-key add -
  apt update
  apt install pdns-recursor
  

Ubuntu 20.04

• Create /etc/apt/sources.list.d/powerdns.list with this content

  deb [arch=amd64] http://repo.powerdns.com/ubuntu focal-rec-45 main
  

• Run the following commands

  curl https://repo.powerdns.com/FD380FBB-pub.asc | sudo apt-key add -
  apt update
  apt install pdns-recursor
  

Setup instructions

The following steps will walk you through the configuration of PowerDNS to enable the ThreatSTOP DNS Firewall.

ThreatSTOP Portal setup

• If you want to use a custom DNS Firewall policy, please read DNS Firewall Policies
• Create a new Device Entry: Click on Devices and then on Add Device.
  • Select DNS Defense
  • The Manufacturer is: DNS Server
  • The Model is: PowerDNS (Ubuntu)
• Select the DNS Firewall policy - either a pre-defined policy or a custom policy
• Note: It can take up to 30 minutes for a new device to become available after it is created in the Portal. Once the device is available, its IP address will be recognized in the output of the following command:

$ curl https://logs.threatstop.com/cgi-bin/validip.pl
Your IP address: <ip address>
Address is in the list of authorized hosts

Configuring PowerDNS

You will need the following settings to configure PowerDNS:

The RPZ feature is enabled using PowerDNS’s LUA feature as documented here. The default PowerDNS configuration file (/etc/powerdns/recursor.conf), the following entry should exist. Add it if you are using a custom configuration.

lua-config-file=/etc/powerdns/recursor.lua

Edit /etc/powerdns/recursor.lua (or your existing LUA configuration file) to add:

-- ThreatSTOP RPZ Configuration

rpzPrimary("192.124.129.51", "[Zone name retrieved from device settings]", { tsigname="Retrieved from device settings", tsigalgo="hmac-md5", tsigsecret="Retrieved from device settings"})

Next, restart PowerDNS and check that the Response Policy Zone is filtering:

$ sudo systemctl restart pdns-recursor
$ dig @127.0.0.1 bad.threatstop.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11203
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;bad.threatstop.com.		IN	A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 26 19:44:17 UTC 2020
;; MSG SIZE  rcvd: 47

The command should return no records. If an IP address is returned, review the PowerDNS configuration. You can also run the server with trace on (using --trace) to check for issues.

Logging and Log upload

Logging is optional. PowerDNS logs RPZ hits by sending Protobuf messages. A tool to receive and process the log messages is provided by ThreatSTOP. It will relay logs to a syslog server.

• Add the following line to the PowerDNS LUA configuration file

  -- Logging
  protobufServer("127.0.0.1:8000", {logQueries=true, logResponses=true, exportTypes={'A', 'AAAA', 'CNAME', 'MX', 'PTR', 'NS', 'SPF', 'SRV', 'TXT'}} )
  

• Add the ThreatSTOP repository: create /etc/apt/sources.list.d/threatstop.list with this content

  # Ubuntu 18.04
  deb https://debian.threatstop.com/ThreatSTOP/ bionic main
  

  # Ubuntu 20.04
  deb https://debian.threatstop.com/ThreatSTOP/ focal main
  

• Download and install the PowerDNS Log service (ThreatSTOP package)

  curl https://debian.threatstop.com/GPG-KEY.asc | sudo apt-key add -
  sudo apt update
  sudo apt install pdns-rpz-log
  

This package will install:

• a script named pdns-rpz-logger in /usr/local/bin.
• a systemd config file to control it (systemctl <command> pdns-rpz-log).
• a syslog configuration file named threatstop-pdns.conf in /etc/rsyslog.d/ to route syslog message.
• a cron file named threatstop-pdns in /etc/cron.d/ to trigger the RPZ RPZ log rotation.
• a logrotate configuration file named threatstop in /etc/logrotated.d to rotate and upload the RPZ logs.
• a config file named /etc/ts-pdns-tdid which must edited to contain your device’s id (tdid).
  • Your tdid: retrieve it from the device settings page.

Syslog output will be written to /var/log/rpz.log, e.g.

Apr 20 18:03:28 ubuntu-focal 2021-04-20 18:03:27 client 127.0.0.1#39283 (bad.threatstop.com): rpz QNAME NXDOMAIN rewrite bad.threatstop.com via bad.threatstop.com.Policy.Account.rpz.threatstop.local

Log upload can be disabled by commenting out the curl command in /etc/logrotate.d/threatstop.

• Restart PowerDNS

• Test that your logging configuration is working as expected:

  dig @127.0.0.1 bad.threatstop.com  should return NXDOMAIN
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5611
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
  

• Check that a log entry was added to /var/log/rpz.log

• Check the logrotate configuration. The following command should show a successful file upload (HTTP/1.1 200 OK)

  sudo /usr/sbin/logrotate -f /etc/logrotate.d/threatstop-pdns
  

Proxy support

If your network requires the use of an HTTP proxy, add the proxy option to the curl command in the logrotate config file: –proxy server:port. The proxy must be an HTTP proxy with support for HTTPS (CONNECT protocol).