Policies - BlueCat Edge - Service Point v3.x.x

BlueCat Edge User Guide
Locale
English
Product name
BlueCat Edge
Version
Service Point v3.x.x
Policies let you set site-specific access rules for domain lists, query types, source IPs, and response IPs. There are three types of policies:
  • Trust: Lets you trust certain domains that might be blocked and allow them to be resolved. For example, you can create a trust policy that allows domains that might have been incorrectly blocked by policies using threat detection. BlueCat recommends configuring a global trust policy that includes internal domains that can be characterized as tunneling or DGA. For more information on configuring a global trust policy, refer to Configuring a global trust policy.

    Trust policies can be associated to one or more sites, and can include or exclude source IP addresses.

    Attention:
    • Trust policies override block, redirect, and monitor policies.
    • Trust policies only apply to sites running service point v3.8.0 and greater.
    • Query logs with trust policy actions are not forwarded to the SIEM streaming API.
  • Block: Blocks access to the domain lists, query types, source IPs, or response IPs that you add to the policy. For example, you might apply a policy that blocks access to a domain list of social media URLs. To block access to domains and redirect users to an alternate DN, add a redirect DN.
  • Monitor: Lets you monitor access to domains without impacting the DNS response.

    Monitor policy monitors domains based on the query and nameservers listed under the Authority section of the DNS response.

Policy evaluation of CNAME records

Domain-based block, block with redirect, and monitor policies evaluate CNAME records returned as part of the response chain. If at least one of the returned CNAME records matches the domains associated with the policy, and all of the policy's other criteria are met, then the trust, block, redirect, or monitor action is enforced.

Policy evaluation of Authoritative Nameservers

Block and monitor policies evaluate NS records returned in the Authority section of the query as part of the response chain. If at least one of the returned NS records matches the domains associated with the policy, and all of the policy's other criteria are met, then the trust, block, redirect, or monitor action is enforced.

Order in which policies are applied

When a site has multiple policies associated with it, Trust is applied first, then Block with Redirect, then Block, then Monitor policies.

For block and monitor policies, you can set time and date ranges for the policy to be applied. For example, you can set a range of 9:00 am to 17:00, Monday to Friday, if you want the policy to apply during regular business hours. If you don't select any times or days, the policy is always active. You must select at least one criterion in addition to a time a range to activate the policy.

You can also block, monitor, or trust specific query types or source IP ranges.

Attention:
  • If you are configuring a policy where multiple criteria are selected, the policy action is taken only when all of the conditions are met. For example, if you configure a block policy and you specify a Block List and Query Type, the policy action is only enacted on queries that are found in the block list and match the specified query type.
  • If a DNS query matches all conditions for multiple policies with different redirect destinations, the query is answered with one of the redirected destinations in a random order, resulting in unexpected behavior. Configuring policies with overlapping conditions that can result in a query matching more than one policy is unsupported.
Note: You can also create policies using the API. For more information, refer to Policy management APIs.

Creating a new policy

  1. In the top navigation bar, click and select Policies.
  2. To add a new policy, click New, or select an existing policy and click Edit.
  3. Complete the following information:
    • Enter a name and description for the policy.
    • For Type, select whether to Block, Monitor, or Trust the domains in the domain list.
      Note: If you have an existing Allow policy, you can edit the type to Block, Monitor, or Trust the domains in the domain list.
    • Use the Active toggle to select whether the policy is Active or Inactive.
      Note: You must enter at least one site in the Sites field to activate the policy.
  4. For Sites, enter one or more sites or site group names to add to the policy.
    • As you enter sites and site groups, they appear below the Sites field.
    • To remove a site or site group from a policy, click the X beside the name.
    Tip: Type all sites and press Enter if you want the policy to apply to all of the sites.
    Attention: Some Policy features might not be applied as expected on service points within Sites that are running an older service point version. BlueCat recommends running the latest service point version to ensure that all Policy features function as expected.
  5. (Optional) For a block policy, for Redirect Target, enter the fully qualified domain name (for example, www.bluecat.com) to which blocked domains should be redirected.
  6. (Optional) For a block or monitor policy, select Set Active Time if you want to apply the policy during limited date and time ranges. You can set starting and ending times, combined with applicable days of the week. You can set more than one date and time range.
    Note: If you do not specify an active time, the policy is active at all times.
  7. (Optional) Under Threat, select the checkbox next to DGA or Tunneling to block or monitor queries that meet the threat type criteria.
    Note: If you select both DGA and Tunneling, the policy action will be applied to a query if a threat of either type is identified.
  8. (Optional) Under Domain List, enter the name of the domain list(s) you want to block or monitor.
    For block policy, select one or both of the following:
    • Block domains based on query/answer: Blocks query resolution if the domains listed in the Domain List match the queried hostname or CNAME answers of the DNS response.
    • Block domains based on authoritative nameservers: Blocks query resolution if the domains listed in the Domain List match the Authoritative nameservers found in the authority section of the DNS response.
    Note: You must select at least one criteria to block domain lists.
    For monitor policy, select one or both of the following:
    • Monitor domains based on query/answer: Monitors query resolution if the domains listed in the Domain List match the queried hostname or CNAME answers of the DNS response.
    • Monitor domains based on authoritative nameservers: Monitors query resolution if the domains listed in the Domain List match the Authoritative nameservers found in the authority section of the DNS response.
    Note: You must select at least one criteria to monitor domain lists.
    For trust policy, select one or both of the following:
    • Trust domains based on query/answer: Trusts query resolution if the domains listed in the Domain List match the queried hostname or CNAME answers of the DNS response.
    • Trust domains based on authoritative nameservers: Trusts query resolution if the domains listed in the Domain List match the Authoritative nameservers found in the authority section of the DNS response.
    Note: You must select at least one criteria to trust domain lists.
  9. (Optional) For a block or monitor policy, under Exception List, add any domain lists that are exceptions to the policy rule, if applicable.
    Note: If you define a Exception List, you must also define a parent Block List.*
  10. (Optional) This option allows you to block or monitor DNS queries based on the IP address in the A or AAAA record of the response. Under Response IP Lists:
    • In the Block List field, enter the IP lists that you want to block.
    • In the Exception List field, enter the IP lists that are exceptions to the policy rule, if applicable.
    Note: If you define a Exception List, you must also define a parent Block List.*
  11. (Optional) Under Query Type, begin typing and select from the list of query types to block or monitor.
  12. (Optional) Under Source IP:
    • For block, monitor, and trust policies, select whether to include or exclude source IP addresses.
    • Enter individual IP addresses or a CIDR range in the standard 123.123.100.0/xx format or shorthand CIDR 123.x/xx format, to block or monitor.
    • Press Enter.
    The address or range appears below the Source IPs field. Enter additional addresses or ranges, if needed. To remove a domain from the list, click the X beside its name.
  13. Click Save or Save and Apply.

    Active policies are applied immediately. Inactive policies are saved but not applied until activated.

  14. To delete a policy, ensure that it's inactive, then select it and click Delete.
    Note: Sites, site groups, or domain lists can be deleted even if they're included in a policy. If this happens, when you open a policy for editing, you can't save the policy until you remove the deleted items.

Policy Tips

* If you are defining an Exception List, you must also define a parent Block List under Domain List. For example, if you block all queries flagged as Tunneling but allow certain domains that are known to be legitimate domains as exceptions, you would configure the following settings:
  • Under Threat, set the Type to Tunneling.
  • Under Domain Lists, set the Block List to '*' to block all Tunneling traffic.
  • Under Domain Lists, set the Exception List to the legitimate domains that shouldn't be blocked.

Configuring a global trust policy

At times, internal Active Directory domains or highly dynamic internal zones can be characterized as tunneling or DGA threats. When configuring policies, BlueCat recommends configuring a global trust policy to override any threat detection or other policy enforcement.

To create a global trust policy, you must:
  1. Create a domain list that contains the list of internal or external trusted domains. For more information on creating the domain list, refer to Domain lists.
  2. Create a trust policy that contains the domain list with the trusted domains and apply the policy to all sites.