This document describes the integration process of the ThreatSTOP DNS Defense with a Microsoft DNS server running on Windows Server 2016.

Requirements

A server or Virtual Machine running Windows 2016 Server (the “Server”).

  • 8GB of RAM or more required.
  • Make a note of the public IP address of your Server
  • Create an account on the ThreatSTOP Portal

Installation

  • Log into your Windows 2016 Server as an Administrator.
  • Download the Windows Server 2016 Installation Script text file.
  • Change the extension of the file name from .txt to .Ps1 (TS-DNSfirewall-Win-2016.Ps1)
  • Open PowerShell ISE using Run as administrator:
    • Click on the Start Menu.
    • Right-click on Windows PowerShell ISE.
    • From the More menu, select Run as administrator.
    • Click the New page icon to create a new PowerShell file.
  • Paste the contents of the text file into the PowerShell window.
  • Execute the script by clicking the green arrow. You will be prompted to enter the public IP address of your Server.

If necessary, the DNS Server role will be enabled on your server. This step may take a few minutes to complete. A reboot is not required.

  • Wait a few moments for the installation to complete. The full ThreatSTOP package will be downloaded and extracted to C:\ThreatSTOP, and setup tasks will be performed.
  • When setup is complete, a message similar to the following will be displayed:
    ThreatSTOP DNS Policy Setup completed at 07/04/2016 23:22:51
    

About your Installation

The installer creates a new directory located at C:\ThreatSTOP. This directory contains useful files and scripts:

  • ThreatSTOP.ini – this is the configuration file for your ThreatSTOP service. Modify this file when changing the name of your ThreatSTOP policy.
  • Setup.ps1 – re-run this file (as Administrator) after making changes to your ThreatSTOP.ini configuration file. UninstallTS.ps1 – run this script (as Administrator) to remove the ThreatSTOP service. Note that the uninstaller removes all DNS policies and Scheduled Tasks for ThreatSTOP but does not remove the C:\ThreatSTOP directory from your server. You may wish to delete this folder manually after uninstalling. The DNS Server role is not changed or removed when running this script.

Register Your Device at threatstop.com

Adding a device to ThreatSTOP is a straight forward process. To add a device to ThreatSTOP:

  • Login at https://admin.threastop.com.
  • Click on Devices.
  • If you have an available seat the + Add Device icon will display. Click on this icon to continue.
  • The Edit Device window pop-up will display.
  • Enter a Nickname for the device (we recommend a description of the device, or the network name of the device).
  • Select the Manufacturer of the device. For Windows Server 2016, this should be set to Microsoft.
  • The Model or type of device being installed. In this case Windows Server 2016.
  • The IP Type (Static or Dynamic) used by the device. Set this to Static.
  • The IP Address of the device. The device address to use can be determined by visiting: http://www.threatstop.com/cgi-bin/validip.pl from the Windows 2016 Server.
  • In the Location dropdown select the country you reside in. This is an optional field.
  • If your country uses Postal or ZIP Codes enter yours in the Postal Code field. This is an optional field.
  • Select the DNS firewall policy you wish to run the device under, this will default to a ThreatSTOP provided policy, but a custom policy can be used.
  • Click Next.
  • A message offering help with adding your DNS firewall policy to your device will appear. Clicking here or Rules will take you to this help page. Clicking Done will return you to the ThreatSTOP portal.
  • Click Done.

Testing your ThreatSTOP installation

A DNS response of Query Refused indicates that your ThreatSTOP DNS policies are working correctly. Open a command window and run a localhost lookup on bad.threatstop.com.

C:\Users\user>nslookup bad.threatstop.com localhost
*** Unknown can't find bad.threatstop.com: Query refused

Customizing Your ThreatSTOP DNS Firewall Policy

Policies combine target lists to define the Fully Qualified Domain Names (FQDNs) to which communications are filtered. Unlike a traditional IP firewall, DNS Firewalls regulate outbound traffic, without regulating inbound traffic. Attempts to contact regulated domains can be adjusted to meet predefined behaviors, by default ThreatSTOP provides four settings (respond with no such domain, drop all communications, don’t provide data, or pass data through). Creating a custom DNS firewall policy is covered in ThreatSTOP DNS Firewall. For this guide we will only be setting up a very basic custom DNS firewall policy. Custom block and allow lists are covered in User-Defined Domains and should be setup before proceeding through this setup.

To set a DNS Firewall Policy:

  • Click on the Policies & Lists towards the top of the window..
  • Click on the DNS FW Policy tab.
  • Click on + Add Policy.
  • The Create Policy pop-up will appear.
  • Enter a name for your new policy in the Policy name field.
  • Type a brief description of your policy in the Description field. This will help you focus on what you are looking to accomplish with your policy.
  • Determine the type of policy that you would prefer. Standard or Expert. Toggle the usage mode appropriately.
  • Locate and tick the boxes next to the target lists, and user defined domains you want to Block from communicating with your network.
  • Once you have your DNS firewall policy defined to your liking click Submit.
  • This will add your policy name to the Policy field in the device setup section.
  • Open the C:\ThreatSTOP\ThreatSTOP.ini file and update the TSZoneName value to your new policy name:
TSZoneName=[Zone name retrieved from device settings]

Using ThreatSTOP and Configuring your Clients

Clients and network devices that you wish to protect will need to be configured to use the private IP address of the Windows Server 2016 TP5 Firewall as their DNS server. Alternatively, you can configure your DHCP server to provide this information to clients automatically.

Caution: This is not necessarily the IP address established during the device configuration. It is more than likely that you will need to use the Private IP address of your Windows 2016 Server, or configure your Active Directory controller to use the Windows 2016 DNS server for DNS.

Scheduled Tasks

Open Windows Task Scheduler to see the three tasks created by ThreatSTOP:

  • ThreatSTOP_policyrefresh – updates your ThreatSTOP DNS policies with current threats.
  • ThreatSTOP_exportDNSlog – exports a log of blocked requests to your export folder (as specified in your ThreatSTOP.ini configuration)
  • ThreatSTOP_uploadDNSlog – uploads your ThreatSTOP logs to the ThreatSTOP portal for analysis and reporting.

Event Viewer

ThreatSTOP logs events in the standard Windows Application Log. Use Event Viewer and look in the Source column for ThreatSTOP to view logged events. For example, every time your DNS policies are updated you will see an entry similar to the following:

Policies updated. Last TS pol: ThreatSTOPblock14

ThreatSTOP DNS policies are created in blocks of 1000. So a message of “Last TS pol: ThreatSTOPblock14” indicates that there are approximately 14,000 block rules in effect.

Troubleshooting Installation

  • Check the Event Log for error messages.
  • You may also view C:\Windows\System32\dns to see the ThreatSTOP zone files. The modified date on your current ThreatSTOP policy will update each time your DNS server refreshes its policy.
  • Use the Utilities.ps1 script to check the contents of your ThreatSTOP policy blocks
  • If you encounter PowerShell permissions restrictions, you may need to change the execution policy using Set-ExecutionPolicy.
Set-ExectionPolicy RemoteSigned
  • Contact ThreatSTOP for assistance. We’re happy to help!