© 2017 Infoblox Inc. All rights reserved. Implementing Infoblox DNS Firewall January, 2017 Page 4 of 21
Access to the Infoblox Cloud Service Platform RPZ management portal (https://csp.infoblox.com) or other
reputation feeds like Spamhaus.
Infoblox NIOS 8.0 or later is recommended.
Types of RPZs
Local RPZ–A local RPZ is a zone that allows administrators to define multiple response policies locally.
Query responses sent are based on the defined rules.
RPZ Feed–An RPZ feed receives response policies from external sources. DNS clients receive
responses based on the imported rules from a reputable source.
FireEye integrated RPZ–By integrating the NIOS appliance with the FireEye appliance, you can detect
malware and APTs and take necessary actions to mitigate those threats by importing updates from
FireEye appliance into a FireEye RPZ.
Best Practices
When you enable Infoblox DNS Firewall, DNS performance for all queries, recursive or authoritative, will
be affected.
If you have multiple DNS servers in a Grid, ensure that you configure RPZs on the recursive server that is
closest to your DNS clients. If you configure RPZs on second level DNS caching servers, you will not be
able to identify the DNS clients because only the IP addresses of the forwarding name servers can be
identified.
Infoblox recommends that you preview your RPZ rules to ensure ruleset integrity and to avoid unexpected
results. You can preview your rules by selecting Log Only (Disabled) when you configure Policy Override
for an RPZ, RPZ feed, or FireEye integrated RPZ.
The appliance logs all matching and disabled rules for all queries in the syslog. You can view the syslog
to ensure that the rules are set up correctly before they take effect. Ensure that you enable RPZ in the
Logging Category of Grid DNS Properties editor to log these events.
You can use the standard TSIG mechanism to ensure that feed zones come from the correct servers.
Grid members can function either as a primary or secondary servers for the RPZ. As with hosting any
zone as a secondary, please ensure that the appliance is sized properly to hold the zone contents in
memory.
You can only export or import the RPZ local zones using the CSV export or import feature, but you cannot
import or export FireEye zones using this feature.
Note that the NIOS blacklist and NXDOMAIN features take precedence over RPZs.
In order to leverage DNS, notify messages to trigger zone transfer of the feed zone, port 53 incoming on
the lead secondary must be open to receive such messages (TCP and UDP). If not, the zone will refresh
based on the refresh setting in the SOA.
The name of the zone, which is assigned to an RPZ member, must not exceed 256 characters. The name
can be a combination of alphanumeric characters. When the name exceeds this limit, respective zone
fails to load.
Best Practices for FireEye Integrated RPZs
Before you configure a FireEye integrated RPZ, consider the following:
FireEye integrated RPZs inherit default values from local RPZs. You can create, edit and delete rules
using the Infoblox GUI, API, and RESTful API.
To avoid false positives, Infoblox recommends that you create a whitelist of allowed zones using a local
RPZ that is sorted above the FireEye RPZ and add your own domain to the whitelist RPZ. For example,
you can add your company domain name, such as corp100.com. This list must contain popular domains,
such as Alexa 250, and other desired domains.
Note that there will be an impact on the storage capacity when you create a new FireEye alert and map it
with an RPZ rule. The processing of alerts will consume a few CPU cycles, which will have some impact
on the system.
