This document describes the integration process of the ThreatSTOP DNS Defense with a BIND 9 DNS server running on TSCM via web automation.

Overview

This document describes the integration process of the ISC Bind 9 ThreatSTOP DNS Firewall server running on TSCM.

Setup proceedure summary:

  • Open a ThreatSTOP account if you have not already done so.
  • Using the Portal, configure a new device - Manufacturer: ISC and Model: BIND 9 (TSCM)
  • Run tsadmin add command to create the device. The device will automatically configure itself. (untouched Bind configuration files backed up to /opt/threatstop/etc/bind_stock_configs.tgz)
  • Configure the client machines to be protected to use the ThreatSTOP DNS Firewall for address resolution.

Compatibility

Supported Systems

Operating System OS Provided Bind Version
Ubuntu 16.04 BIND 9.10.3 Security Changelogs

Device Settings

You will need the following two sets of settings to complete the installation. You can retrieve the RPZ Zone name, Policy TSIG Key name, Policy TSIG Key secret and Device ID via the settings of the device in the Admin Portal.

ThreatSTOP Portal Device Settings

Setting Value
Nickname Name of the device
Policy DNS RPZ Policy
IP Type Static or Dynamic Public IP address
IP Address Public IP address
Bind Mode Bind mode of operation (1 = Recursion only, 2 = Forwarder only)
Bind Forwarders (if Bind mode set to forwarder only) Space separated DNS server IP addresses used to forward upstream queries i.e. 192.168.1.1 10.0.0.1
Trusted ACL Addresses allowed to query this DNS server. Space separated list of Special Keywords, IP(s) or CIDR addresses i.e. 192.168.2.0/24 10.0.0.1. Special keywords (all, localhost, localnets) handled by Bind.
Bind Port The TCP port the TSCM should use for listening for DNS requests

Prerequisites

System

The ThreatSTOP TSCM Bind DNS Firewall requires a system that meets at least these specifications.

  • 2 GB of RAM
  • 10 GB of disk space
  • Time synchronized (NTP)

Connectivity

To retrieve its configuration and policy, and to upload log data, the machine needs the following connectivity:

  • DNS over UDP (Internal Clients -> DNS Firewall Device)
    • Inbound UDP port 53 [or whatever port you specify]
  • DNS over UDP (optional, but recommended for DNS notifications)
    • IP Range: 192.124.129.0/24
    • Inbound UDP port 53
  • DNS over TCP
    • IP Range: 192.124.129.0/24
    • Outbound TCP port 53
  • DNS over TLS - Configuration service
    • Hostname: ts-ctp.threatstop.com
    • IP Range: 192.124.129.0/24
    • Outbound TCP port 5353
  • HTTPS
    • Hostname: logs.threatstop.com
    • IP range: 204.68.99.208/28
    • Outbound TCP port 443
  • NTP
    • Outbound UDP port 123

Setup instructions

The following steps will walk you through adding the ThreatSTOP TSCM Bind DNS Firewall device.

ThreatSTOP Portal setup

  • If you want to use a custom DNS Firewall policy, please read DNS Firewall Policies
  • Create a new Device Entry: Click on Devices and then on Add Device.
    • The Manufacturer is: ISC
    • The Model is: BIND 9 (TSCM)
    • TSCM Bind with Web Automation
  • Select the DNS Firewall policy - either a pre-defined policy or a custom policy
  • Note: It can take up to 30 minutes for a new device to become available after it is created in the Portal. Once the device is available, its IP address will be recognized in the output of the following command:

Adding ISC Bind Device - Web Automation

Adding the Bind device via web automation is the easiest method as all the settings are handled in the portal and sent down to the TSCM. After filling out the portal form you can just run the following command on the TSCM CLI to add the device.

$ tsadmin add --type auto --device_id=[Device ID] --auto_key=[Device Key]

You will be prompted for all device settings listed above. The TSCM device will create Bind configuration files with the supplied settings after the setup wizard completes.

Testing / Troubleshooting your configuration

You can test the RPZ policy is working correctly by verifying a known blocked address like bad.threatstop.com returns NXDOMAIN. Below is an example of running with the DNS Utility dig.

dig @[Bind Server IP or Hostname] bad.threatstop.com
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5611
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

Below is an example using nslookup, found natively on Windows machines.

C:\Users> nslookup bad.threatstop.com [Bind Server IP or Hostname]
Server:     [Bind Server Hostname]
Address:    [Bind Server IP]#53

** server can't find bad.threatstop.com: NXDOMAIN

Looking up a non-restricted website like google.com should return it’s current IP. You can repeat this on any client using this device as a DNS server.

  • Check that a log entry was added to /var/log/threatstop/devices/[device name]/syslog
  • You can test connectivity to ThreatSTOP by running:
$ curl https://www.threatstop.com/cgi-bin/validip.pl
Your IP address: <ip address>
Address is in the list of authorized hosts

You can verify the Bind configuration has no major syntax errors by running

sudo named-checkconf

Additional Information