This document describes the integration process of the ThreatSTOP DNS firewall with an RPZ device.

Overview

ThreatSTOP is currently integrated with the DNS servers listed here. If your DNS server is not listed but supports the RPZ mechanism, you can configure your server to load the response policy zone using the settings provided in the portal. You can also request support for your brand of devices by contacting ThreatSTOP support.

Connectivity

To retrieve its configuration and policy, and to upload log data, the machine needs the following connectivity:

  • DNS over TCP
    • IP Range: 192.124.129.51/32
    • Outbound TCP port 53 or 5353
  • DNS over UDP (optional, but recommended for DNS notifications)
    • IP Range: 192.124.129.51/32
    • Inbound UDP port 53
  • NTP
    • Outbound UDP port 123

Configuration Steps

  • Step 1: Create a ThreatSTOP account if you don’t already have one.
  • Step 2: Browse to the device page and create a new type
    • Type: DNS Firewall
    • Vendor: Generic
    • Type: Generic DNS
  • Step 3: Enter the device settings
    • Nickname: This is a mnemonic name used to identify the device. It can be set to any string (A-Z, 0-9, - and _). If you create multiple device entries, each entry must have a unique nickname. The Nickname will be used to identify the device on the TSCM and in the Reporting user interface.

    • Policy: Select a pre-defined policy or a customized policy. It must be an DNS Policy type.

    • IP Type: Access to the ThreatSTOP services is controlled in part using an ACL allowing the device IP to connect. If your device has a static public IP address (the most common case), select static. If your device has a dynamic public IP address, the ThreatSTOP services can lookup the IP address using a DNS fully-qualified name (FQDN).

    • Public IP address: In static mode, this is the public IP address of the TSCM. It is possible to configure multiple device entries with the same public IP address.

    • Note: An optional field to store a note of your choice about the device - location, identifiers, model…

  • Step 4: Save the device configuration. Upon reload, the RPZ zone settings will be available (See the Device Settings section below).
  • Step 5: Configure the zone name, master server and TSIG key details in your DNS server.
  • Step 6: Configure your DNS server to apply the Response Policy Zone to incoming DNS request
  • Step 7: Validate that the policy is applied by looking up bad.threatstop.com. The request should be blocked and not return an A record.
  • Step 8: If supported by your DNS server, enable RPZ logging.

If your DNS server supports DNS notifications, you can also enable them from 192.124.129.51/32 to retrieve policy zones when they are updated in ThreatSTOP’s servers, instead of relying on the zone refresh.

Device Settings

You will need the following settings to complete the installation. You can retrieve the RPZ Zone name, TSIG Key name, TSIG Key secret and Device ID via the settings of the device in the Admin Portal.

Setting Value
DNS Server IP Address Zone masters retrieved from device settings
Device ID Retrieved from device settings
RPZ Zone Name Retrieved from device settings
TSIG Key Name Retrieved from device settings
TSIG Key Secret Retrieved from device settings