Jump to content

About This Club

DNS, DHCP, IPAM (IP Address Management)
  1. What's new in this club
  2. Version 1.0.2

    0 downloads

    This python3 script is made to work with the extract shell script which extracts all the records from Infoblox into a CSV file by zone. This merge script will merge all those separate CSV files into one master CSV file. Credit goes to freelancer: Mahmoud E. Developer Cost: $125 If this file is helpful to you if you could donate toward the site would be appreciated to help with costs.
  3. Version 1.0.0

    0 downloads

    This script is used to extract all records for an Infoblox view for any domain in the zonelist.txt So this will create a CSV for every domain with all the dns records in that zone.
  4. Version 1.0.8

    0 downloads

    Initial Zip that includes: dnsquery.py input.txt (example which is 1 domain name per line) output.csv (example) Configured dnsquery.py to add DNS Servers ORIGINAL WAY (1.0.0-1.0.7 & 2.0.0-2.0.2) DNS_SERVERS = [['cax233', '10.40.112.233'], ['cax234', '10.40.112.234'], ['sat233', '10.44.112.233'], ['sat234', '10.44.112.234']] STARTING WITH 1.0.8 and 1.0.9 DNS_SERVERS = [ ['cax233', '10.40.112.233'], ['cax234', '10.40.112.234'], ['sat233', '10.44.112.233'], ['sat234', '10.40.112.234'] ] A Pre-Req is you need to install python36-dns sudo yum install python36-dns We are hoping to get a response like the one shown here (without the color which was just added to separate the file types
  5. For reference, I have received an error [855/1304] File Processed: /home/dhosang/ddiextract/zahyield.com.csv Traceback (most recent call last): File "merge_csv.py", line 51, in <module> processFile(directory + os.sep + file) File "merge_csv.py", line 45, in processFile data[header.index(my_tuple[0])].append([file.split(os.sep)[-1]] + line) IndexError: list index out of range missing a record NOTE: If it doesn't seem to be running you gotta check a couple of things Are you running it with sudo (you need permission to create result.txt) and you'll get an error stating you don't have permissions Make sure Infoblox allows your IP address to access API
  6. Ok my primary goal is to find any RFC1918 address space in my Public facing DNS View. So how do I do that? First in Infoblox I go to Data Management –> DNS –> Public DNS View Click on Show Filter then Click on first entry and change that to Type Middle entry click on equals Far right entry change to Authoritative (don't care about delegated or forward zones) It basically should look like the image below... Click on Export (red arrow is pointing to Export) to download a csv with all the zones from your Public DNS View Open up that csv file and copy all the zones (domains) SSH into a linux box I create a directory called rfc1918_20220505 Now in that directory, create a text file called zonelist.txt and paste all the authoritative zones you copied from that CSV export you did above (not worried about reverse zones) NOTE: It's important you save all the domains in the file named as zonelist.txt since this filename is referenced in the script below so the name is important Now create another file which I call rfc1918extract.sh and paste the below (edit the beginning part to match your environment) #!/bin/bash - # This script reads a file, xzonelist.txt, that contains a # list of zone files to download. A separate csv file will be # created for each zone. The csv file will be named the # same as the zone name. Minimal error checking is # performed. Use at your own risk. # All files are located in the same directory as this script. # Username and password with permission to download csv files USERNAME="admin" PASSWORD="Pa55w0rd" # Grid Master SERVER="gm.eventguyz.corp" # Define file containing list of zones to export ZONELIST="zonelist.txt" # Define file that will contain results of curl command OUTFILE="result.txt" # Location of curl on this system. Use -s so curl is silent CURL="/usr/bin/curl -s" # WAPI version VERSION="v2.11.3" # What view are these zone in? default maybe VIEW="External" #VIEW="default" ############################################ # No more variables to set below this line # ############################################ # Process the zonelist file one line at a time while read ZONE do echo echo echo echo echo echo "Processing zone: $ZONE" # Create CSV file for this zone /usr/bin/curl -s --tlsv1 --insecure --user admin:Pa55w0rd -H "Content-Type: application/json" -X POST https://$SERVER/wapi/$VERSION/fileop?_function=csv_export -d "{\"_object\":\"allrecords\",\"view\":\"$VIEW\",\"zone\":\"$ZONE\"}" > $OUTFILE ## $CURL \ ## --tlsv1 \ ## --insecure \ ## --noproxy '*' \ ## --user "$USERNAME:$PASSWORD" \ ## -H "Content-Type: application/json" \ ## -X POST https://$SERVER/wapi/$VERSION/fileop?_function=csv_export \ ## -d "{\"_object\":\"allrecords\",\"view\":\"$VIEW\",\"zone\":\"$ZONE\"}" \ ## > $OUTFILE ERROR_COUNT=`grep -c Error $OUTFILE` echo "Error Count= $ERROR_COUNT" if [ $ERROR_COUNT -ne 0 ]; then # Display the error and skip rest of loop grep Error $OUTFILE continue fi # Get the "token" and "download URL" for later use TOKEN=`grep "token" $OUTFILE | cut -d"\"" -f4` URL=`grep "url" $OUTFILE | cut -d"\"" -f4` echo "Token: $TOKEN" echo "URL: $URL" # Download the CSV file echo "Download CSV file section" $CURL \ --tlsv1 \ --insecure \ --noproxy '*' \ -u "$USERNAME:$PASSWORD" \ -H "Content-Type: application/force-download" \ -O $URL # Rename CSV file so the file name matches the zone name echo "rename CSV file section for $ZONE" FILENAME=$ZONE".csv" echo "Filename with $ZONE: $FILENAME" # Reverse zones will contain the / character which will be interpreted # as a directory delimiter if included in file name. Replace with + FILENAME=`echo $FILENAME | tr \/ +` echo "Filename remove slashes: $FILENAME" mv Zonechilds.csv $FILENAME echo "Filename after Zonechilds.csv mv: $FILENAME" # Let NIOS know download is complete echo "Let NIOS know download is complete SECTION" $CURL \ --tlsv1 \ --insecure \ --noproxy '*' \ -u "$USERNAME:$PASSWORD" \ -H "Content-Type: application/json" \ -X POST https://$SERVER/wapi/$VERSION/fileop?_function=downloadcomplete \ -d "{ \"token\": \"$TOKEN\"}" done < "$ZONELIST" exit Make the file executable by running: chmod 755 rfc1918extract.sh If you do a ls on the directory you should have two files like the one below make sure you are in the directory with your files cd rfc1918_20220505 Now its time to just run the file: bash rfc1918extract.sh Verify its working by seeing domain after domain go by on the screen. Now this is going to take awhile Once completed you will have domain.com.csv file for each zone that was in your zonelist.txt Now you have choices on what you want to do with all these CSV files. OPTION #1 Now in the same directory with all those csv files, if you wanted to find all the RFC1918 addresses you could run: grep -E ',10\.|,172\.|192\.168\.' * | sort > /tmp/all-rfc1918-records.txt This grep searches for multiple patterns. Since this is a comma separated file we can search for ,10. and ,172. and ,192.168. OPTION #2 It's possible you want to combine all the CSV files into one master CSV which can be done using merge_csv.py merge_csv (1).py Download the file above (merge_csv (1).py) and rename to merge_csv.py and upload to your linux box in the directory all your csv files are Now run the python script python3 merge_csv.py The script creates a combined csv for each record type File Saved: /rfc1918_20220505/data_20220506/srvrecord_20220506.csv File Saved: /rfc1918_20220505/data_20220506/txtrecord_20220506.csv File Saved: /rfc1918_20220505/data_20220506/arecord_20220506.csv File Saved: /rfc1918_20220505/data_20220506/cnamerecord_20220506.csv File Saved: /rfc1918_20220505/data_20220506/hostaddress_20220506.csv File Saved: /rfc1918_20220505/data_20220506/hostrecord_20220506.csv File Saved: /rfc1918_20220505/data_20220506/mxrecord_20220506.csv File Saved: /rfc1918_20220505/data_20220506/ptrrecord_20220506.csv File Saved: /rfc1918_20220505/data_20220506/nsrecord_20220506.csv Now you have the CSV files you can either just combine all files into one CSV cat *csv > int.eventguyz.com_external.csv OR I go into the data_date directory and run the following command to pull the rfc1918 addresses into one .csv grep -E ',10\.|,172\.|192\.168\.' * | sort > all-rfc1918-records_$(date +%Y%m%d).csv EXAMPLE INPUT (if needed) csv_examples.zip EXAMPLE OUTPUT (if needed) csv_output_examples.zip
  7. The easiest way to connect ServiceNow and Infoblox is to use Activity Packs. The new Infoblox and ServiceNow integration allows mutual customers to automate the process of managing DNS Security policies (RPZ, ADP, Threat Insight) and other IPAM, DNS, DHCP elements through the ServiceNow workflows and activities. Currently Infoblox provides the current activities and workflows: Activities: Create/Delete/Get RPZ Rules ADP Rules TI Whitelist Records A Records AAAA Records CNAME Records PTR Records SSH into a device Dig Command Workflows: Create RPZ Rule Delete RPZ rule Everything can be found on the ServiceNow store under “Infoblox Activity Packs.” Below you will find a deployment guide for you to use. ServiceNow Activity Installation Guide.pdf Check out this video Check out the attached PDF presentation explaining a bit further Integrations with ServiceNow 5_23_18.pdf
  8. Example below.. delete IPv4 address 10.6.120.96 IDENTIFY OBJECT REFERENCE for IP address POSTMAN FORMAT to get Object reference: GET https://{{grid_master}}/wapi/v2.12/ipv4address?ip_address={{ipv4_address}}&_return_as_object=1 Expected Response: USE Object Reference to DELETE (Reclaim) IP address Copy _ref value from Response: "_ref": "ipv4address/Li5pcHY0X2FkZHJlc3MkMTAuNi4xMjAuOTYvMA:10.6.120.96" - ipv4address/Li5pcHY0X2FkZHJlc3MkMTAuNi4xMjAuOTYvMA:10.6.120.96 POSTMAN FORMAT to delete/reclaim IP address: DELETE https://{{grid_master}}/wapi/v2.12/ipv4address/Li5pcHY0X2FkZHJlc3MkMTAuNi4xMjAuOTYvMA:10.6.120.96 Expected Response:
  9. Another option is to use the suggestion found on this apple support forum https://support.apple.com/lt-lt/guide/mac-help/mh27452/mac
  10. I gave that a shot and running into issues USFNTMNBSJEMD6R:~ cowboy$ nsupdate -g > server 10.40.88.162 > update add usfntmnbsjemd6r.nao.global.gearcrushers.com 86400 A 10.34.224.125 > send tkey query failed: GSSAPI error: Major = Miscellaneous failure (see text), Minor = Server (DNS/det1oapdn103.gearcrushers.corp@NAO.GLOBAL.GEARCRUSHERS.COM) unknown while looking up 'DNS/det1oapdn103.gearcrushers.corp@NAO.GLOBAL.GEARCRUSHERS.COM' (cached result, timeout in 1200 sec). > Any idea?
  11. If you have admin access you can set debug on to get more info on what's going on Enabling logging for the Mac Directory Service In addition to enabling logging for the agent, you may find it necessary to enable logging for the Open Directory Service. To create a log file for the Open Directory Service: 1. Log in as or switch to the root or admin user. 2. Run the following command: sudo odutil set log debug 3. After running this command, you can find the resulting log files at: /var/log/opendirectoryd.log* sudo log stream --predicate '(messageType == debug) and (subsystem == "com.apple.opendirectoryd")' or sudo log stream --debug --predicate 'subsystem == "com.apple.opendirectoryd"' Just ideas to try
  12. For those who run into this issue - Apple standard command line tool dsconfigad and option -restrictDDNS allow to control interfaces used for DDNS. From the research I've done, it sounds like OSX has the native capability to do Dynamic DNS (DDNS) updates according to RFC 2136, however I'm confused as to how to actually get it to do so. On a Mac, I verified that if I set my Windows DNS server to allow non-secure updates, I could use nsupdate to manually register a new DNS record: # nsupdate > update add newhost.hosangit.com 86400 A 10.11.12.13 > send So, it seems like if that works, then OSX itself ought to be able to do the same thing. Let me break it down a little bit more Get an nsupdate shell going nsupdate -g Set the DNS Server you are talking to server 10.0.0.4 Add the Record update add newhost.hosangit.com 86400 A 10.11.12.13 Send it send NOTE: The default behavior for macOS and Windows is to send updates for all connected interfaces. This behavior is not always the best method, especially cases in which the client is connect to different network, say a local network, VPN network, etc.. A better behavior could be a method to check the DHCP search domain against the AD DNS domain and only update the interfaces which match (wired and wireless for instance). Another good option would be to get the interface service order and only submit highest connected interface to mimic the dsconfigad -restrictDDNS command. This feature would be most helpful in environments where the computername is set and controlled programmatically then locked from changing through the sharing prefpane with a config profile. Hope that helps...
  13. We are observing a strange case when our VPN client activates on macOS. It configures utun interface through DynamicStore API with fixed non-routable local IP 10.34.130.125. $ ifconfig utun3 utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1376 inet 10.34.130.125 --> 10.34.130.125 netmask 0xffffffff Problem is that this IP is getting registered with DNS server for this host name together with another, real local IP. So DNS query returns two addresses - one is good and another one is bad. This obviously creates a lot of problems. We did traffic capturing with tcpdump and it shows that nsupdate tool is indeed registering both IPs. This seems to be part of OpenDirectory/Active Directory integration. Is there way to prevent this from happening? VPNs with local only non-routable IPs are very common and I don't understand logic why such IP would be picked for Dynamic DNS update.
  14. Just a little bit extra that might help... Before continuing make sure your system time is sync'd/accurate because all this is very sensitive and if time is off you will get errors. The following command will only allow the address assigned to en0 to be registered via DDNS. dsconfigad -restrictDDNS en0 Best practice is to have all NICs disabled except en0 when you bind the Mac. Then restrict DDNS updates to only en0, only after this then enabling the subsequent NICs. To View current Active Directory Settings dsconfigad -show To Unbind a Computer from an Active Directory Domain dsconfigad -f -r -u Note: <username> needs to be replaced with domain administrator who has binding/unbinding rights. To Bind a Mac Laptop Computer to an Active Directory Domain <computer-name> --> replace this with the computer name you want to bind to Active Directory <username> --> needs to be replaced with domain administrator who has binding/unbinding rights. <domain> --> replace with domain you want to join. dsconfigad -a <computer-name> -u <username> -ou "CN=Computers,DC=network,DC=pcpc,DC=org" -domain <domain> -mobile enable -mobileconfirm enable -localhome enable -useuncpath enable -groups "Domain Admins,Enterprise Admins" -alldomains enable To Bind a Mac Desktop Computer to an Active Directory Domain <computer-name> --> replace this with the computer name you want to bind to Active Directory <username> --> needs to be replaced with domain administrator who has binding/unbinding rights. <domain> --> replace with domain you want to join. dsconfigad -a <computer-name> -u <username> -ou "CN=Computers,DC=network,DC=pcpc,DC=org" -domain <domain> -localhome enable -useuncpath enable -groups "Domain Admins,Enterprise Admins" -alldomains enable reference: OS X Mavericks Using advanced Active Directory options in a configuration profile
  15. In System Preferences -> Network press "Renew DHCP Lease". or the more "fun" way is via the terminal (cli) sudo ipconfig set en0 DHCP (case is important---'DHCP' not 'dhcp') The above command will do a DHCP lease renew, with all the attendant DNS renewing. OR you can use dscl (Directory Services Command Line interface) man dscl The ‘dscl’ Command overview The dscl command is run from a shell prompt using the Terminal app or an equivalent app. It has two modes – interactive and non-interactive. The dscl command returns the same data shown in the Directory Editor app. Note: Most names are case-sensitive when using the dscl command. Interactive Mode Typing ‘dscl’ at a shell prompt and pressing ‘enter’ provides access to the interactive mode. Interactive mode displays a ‘>’ prompt. At that point, dscl is waiting for further commands. To quit interactive mode, type the letter ‘q’ and press ‘enter.’ Note that the ‘ls’ and ‘cd’ commands work within interactive mode. This allows for viewing entries at the current location and to traverse the node and path. The prompt will include the current location in the directory path. Non-Interactive Mode In non-interactive mode, the entire command is entered on one line, the resulting output is displayed on-screen, followed by the normal shell prompt. The general syntax of this command is to specify a node, a command to perform, a path and, optionally, a list of attributes or columns. Node, command, path, attributes or data source and database, command, table and record, attributes Note: attributes are optional. Not specifying attributes returns all attributes in the specified table. Viewing all attributes of a table may be helpful for determining attribute names and which attributes are most helpful for a given requirement. Sample non-interactive commands: • dscl /Local/Default read Computers/localhost IPAddress • dscl /Active\ Directory/MyDomSrv/mydom.com -read /Computers/mymacpro$ distinguishedName Note that the node, command and path must be specified in this order. It does not seem possible to specify the command, node/path or other variations. Sample Interactive sequence to read localhost data $ dscl Entering interactive mode... (type "help" for commands) > ls LDAPv3 Local Contact Search > cd /Local/Default /Local/Default > read Computers/localhost dsAttrTypeNative:KerberosFlags: 110 AppleMetaNodeLocation: /Local/Default IPAddress: 127.0.0.1 IPv6Address: ::1 fe80::1%lo0 KerberosServices: host afpserver cifs vnc RecordName: localhost RecordType: dsRecTypeStandard:Computers /Local/Default > Sample Non-interactive command to read localhost data $ dscl /Local/Default read Computers/localhost dsAttrTypeNative:KerberosFlags: 110 AppleMetaNodeLocation: /Local/Default IPAddress: 127.0.0.1 IPv6Address: ::1 fe80::1%lo0 KerberosServices: host afpserver cifs vnc RecordName: localhost RecordType: dsRecTypeStandard:Computers Sample Non-interactive command to read a single attribute from the localhost record $ dscl /Local/Default read Computers/localhost IPAddress IPAddress: 127.0.0.1 The following examples show the interactive and non-interactive commands for gathering the DNSName, RealName, and RecordName from Active Directory for a specific computer. Sample Interactive command to read specific active directory computer data $ dscl Entering interactive mode... (type "help" for commands) > cd Active\ Directory/MYDOM0/All\ Domains/Computers /Active Directory/MYDOM0/All Domains/Computers > ls MYDOM$ mymacmini$ mymacpro$ MYNB$ WIN7VM $ /Active Directory/MYDOM0/All Domains/Computers > read MYNB$ DNSName RealName RecordName DNSName: MYNB.mydom.com RealName: MYNB RecordName: MYNB$ Note in the interactive sample, above, the database name (Computers) was included in the node portion of the command. The non-interactive mode does not allow for putting the database in the node. The following two non-interactive commands show the incorrect and correct node and path syntax, respectively. (There may be variations to this rule.) Sample Non-interactive command to read active directory computer data * The node is enclosed in double quotes since it contains spaces. $ dscl "/Active Directory/MYDOM0/All Domains/Computers" -read MYNB$ DNSName RealName RecordName Data source (/Active Directory/MYDOM0/All Domains/Computers) is not valid. $ dscl "/Active Directory/MYDOM0/All Domains" -read Computers/MYNB$ DNSName RealName RecordName DNSName: MYNB.mydom.com RealName: MYNB RecordName: MYNB$ Hope that helps
  16. Is there a similar command to windows "ipconfig /registerdns" for OS X?
  17. Its a bit annoying when you get that your Infoblox environment isn't secure when you navigate to the grid in your browser. So what I do is click on Grid - Grid Manager - Members and place a checkmark to the left of the Grid Master. On the right I click on the down arrow to the right of Certificates then I select HTTPS Cert and then click on Create Self Signing Certificate. Replace the FQDN with the Reference code provided by your certificate team Enter Company Name Enter two character Country Code Enter Email address then Click save and your browser will download a cert.pem file. Open that up and copy contents then send to your cert team. They will then provide you with a cert that you will then... Click on Grid - Grid Manager - Members and place a checkmark to the left of the Grid Master. On the right I click on the down arrow to the right of Certificates then I select HTTPS Cert and then click Upload Certificate. You will more than likely need to log off (clear browser cache, cookies) and then go back to the grid URL via your browser and you should no longer see Not Secure.
  18. Many exports limits to 10,000 entries but what if you have more than that then what? Using an API call is the way to go. Here are instructions on how to export DHCP Leases from Infoblox using an API call. Pre-Req: Must have a user account with API access Must have the FQDN or IP of the GridMaster Instructions: (I'm using a Mac of course so if you are using Windows it will look different but Linux it will look the same) From the machines command prompt run curl -k -u 'admin:infoblox' -H 'content-type: application/json' -X POST "https://gm.eventguyz.corp/wapi/v2.9/fileop?_function=csv_export" -d '{"_object": "lease" }' { "token": "eJytjk0LgjAYx7+K7Jxu0/mCN8OCQBQi6DjEPdnAt7YVRfTd2w517dL19399IrgvUj24kSOg3KNJ\nzChJszAJQpKFGaErD13VYCV0NmbROcaUBCwKKGPWEmNHuZAKOsNPcgAuZ6zgwqXwy+ZYV01R+iQh\nlKZhxBKbyBjBFbQadNDpG7L9ojUth6mbhZx6t7Te1V8+zsIdQ2VxKPh+s/0IjmFtZtX2gM24/OOI\nFK71Vwi93qrJWuw=\n", "url": "https://gm.eventguyz.corp/http_direct_file_io/req_id-DOWNLOAD-0601172346205840/Leases.csv" Now download the file using the link in the output above curl -k -u 'admin:infoblox' -H 'content-type: application/force-download' "https://gm.eventguyz.corp/http_direct_file_io/req_id-DOWNLOAD-0601172346205840/Leases.csv" -o "Leases.csv" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8221k 100 8221k 0 0 359k 0 0:00:22 0:00:22 --:--:-- 286k As cleanup, remove the token provided in step 1 curl -k -u 'admin:infoblox' -H 'content-type: application/json' -X POST "https://gm.eventguyz.corp/wapi/v2.9/fileop?_function=downloadcomplete" -d '{"token" : "eJytjk0LgjAYx7+K7Jxu0/mCN8OCQBQi6DjEPdnAt7YVRfTd2w517dL19399IrgvUj24kSOg3KNJ\nzChJszAJQpKFGaErD13VYCV0NmbROcaUBCwKKGPWEmNHuZAKOsNPcgAuZ6zgwqXwy+ZYV01R+iQh\nlKZhxBKbyBjBFbQadNDpG7L9ojUth6mbhZx6t7Te1V8+zsIdQ2VxKPh+s/0IjmFtZtX2gM24/OOI\nFK71Vwi93qrJWuw=\n"}' That's all there is to it and now you have ALL the DHCP Leases in Leases.csv on your machine that you downloaded from Infoblox
  19. Cowboy Denny

    DNS Queries

    Check how each DNS Server is doing. NOTE: DNS can use UDP or TCP port 53 Zone transfers use TCP Queries use UDP ALSO DNS is considered Layer7 (Application Layer) ARCHITECTURE EXAMPLE External/Internet Facing Utilize F5 BIG-IP DNS (GTM) as the name server since they are practically impossible to kill Internal/Intranet Utilize Infoblox with a minimum of two DNS Views (Internal DNS View for intranet only DNS and External DNS View for internet only) REFERENCE LOGICAL DIAGRAM BELOW <insert photo> Of course we could configure many different ways for DNS but let's just concentrate on the External DNS for now since Internal DNS could get complicated with Microsoft Active Directory and using F5 BIG-IP DNS (GTM) for WideIPs and leveraging Anycast then dealing with DDNS.. as you can see, internal DNS is much more complicated then External DNS. To add an External facing DNS Domain (adding a subdomain is the same process) First create the new external domain in Infoblox. I personally like using the csv import process that Infoblox supports. You just populate a CSV like this one here and then go into Infoblox and import the CSV to create the domain (or subdomain). Using the same process (just a different csv) I would add any records that belong in that new domain. Second create the new external domain on your F5 BIG-IP DNS by running command but you need to know a couple things before you can run the command. What name servers are defined on your F5 device that point to the IP address of your Infoblox GridMaster. You can identify this by running this command: iSupport@(mifnt1slbgtm03)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm dns nameserver ltm dns nameserver dnsx_server_0 { address 10.11.12.205 route-domain 0 tsig-key Sup3Rs3CreT } ltm dns nameserver dnsx_server_1 { address 10.11.12.205 route-domain 0 } tmsh create ltm dns zone eventguyz.com dns-express-server dnsx_server_0 dns-express-notify-tsig-verify no Explanation dns-express-server TSIG Notes Use transaction signature (TSIG) keys to authenticate communications about zone transfers between the BIG-IP system and authoritative DNS servers, and between the BIG-IP system and DNS nameservers (clients).
  20. So we all know how to export one subnet in Infoblox using the GUI. Super easy using the export button. If you want to export all addresses in a container, well thats a different story and not so easy. My first approach, which was a failure due to the limit of 500 records, was to do a search for anything starting with 10.45. which worked up to 500 records so that’s not going to work since a possibility of 65k records in a class B. Next step is to download this file which was created by FHecker on Infoblox to a system that has python installed (I use my mac or a linux server). export-addresses.txt Change the file from ending in .txt to .py Make it executable by running sudo chmod 755 export-addresses.py Now the fun is just running it for any container you want. So for this example, I need all records for 10.45.0.0/16 so I run: sudo python export-addresses.py -n 10.45.0.0/16 -o ipam10-46export20210113.csv You’ll then get prompted FQDN for GM (or CP member): [enter your gridmaster fqdn] Userid for API calls: [enter your admin for Infoblox] Password: [enter your infoblox admin password] It exports everything in the CSV file you provided with the following columns export-addresses.py.zip
  21. Here are some “notes” on adding Network Insight to an existing GRID. PRE-REQ’s 2 Infoblox provided files (.ovf and a .vmdk file) VMWare access to deploy an OVF License IP Address, Subnet Mask, Gateway IP Address FQDN to assign to Member SNMP Community Strings ACL’s to include the IP Address that you assign to the Discovery member INSTRUCTIONS for INFOBLOX Part 1 Log into your Infoblox Grid Master to add the new vND-800 member Click on Grid – Grid Manager – Members Click the + button to add a new member Member Type: Virtual NIOS for the vND-820 Host Name: <enter the FQDN for the server> Click Next Enter Address, Subnet Mask and Gateway for the appliance and click Save & Close INSTRUCTIONS for vSphere (VMWare ESX) Open your vSphere Client Click File Deploy OVF Template and browse to the Infoblox provided file that ends with -160G-ND-v800.ovf and click Next You will get OVF Template Details screen (nothing to do here) just click Next to continue End User License Agreement, at the bottom of the window you’ll find the button Accept, click on that and then the Next button highlights.. click Next to continue Name and Location you enter the name (typically the FQDN you assigned as part of the Infoblox step above) and click Next to continue Disk Format: Click the radio button next to Thin Provision and click Next to continue Network Mapping: normally you can leave this with the default and just click Next to continue Here you see a summary… leave power on after deployment not checked and click Finish to create the VM instance. Once the vm session is created, now open the console and power on the device to finish setting up the box When you get prompted to login: admin and password is: infoblox SET 60day TEMP LICENSES Now we need to get the 3 60 day temp licenses installed set temp_license 2. Add vNIOS license Are you sure you want to do this? (y or n): y set temp_license 1. Add Grid license Are you sure you want to do this? (y or n): y Restart UI now, this will log out all UI users? (y or n): y set temp_license 3. Add Discovery license Are you sure you want to do this? (y or n): y Restart UI now, this will log out all UI users? (y or n): y Are you sure you want to do this? (y or n): y SET NETWORK set network Enter IP address: Enter netmask: Enter gateway address: Configure IPv6 network settings? (y or n): n Become grid member? (y or n): y Enter Grid Master VIP: Enter Grid Name: Enter Grid Shared Secret: WARNING: Joining a grid will replace all the data on this node! Is this correct? (y or n): y Are you sure? (y or n): y NOTE: The new virtual application will restart and will synchronize data from the Grid Master INSTRUCTIONS for INFOBLOX Part 2 Log into your Infoblox Grid Master to add the new vND-800 member Click on Grid – Grid Manager and click on Discovery Under the Services Tab click the edit pencil Infoblox (Grid Discovery Properties) under Basic Tab Basic Polling Settings: SNMP Collection Port Scanning Profile Device Smart IPv4 Subnet Ping Sweep Complete Ping Sweep NetBIOS Scanning Automatic ARP Refresh before Switch Port Polling Switch Port Data Collection Periodic Polling 1 Hours Scheduled Polling Credentials (you can add as many as you have but may want to rearrange the order so the majority of the devices with same snmp is at top) SNMPv1/v2 Read Community Order Comment SNMPv3 insert settings here Place a check next to the Discovery Member and click Edit Click Seed and then click + button to add a seed router (maybe its the default router for the site) Place a check next to Discovery Member and click the Play button to start the discovery. You are about to start the Discovery service for the selected members. Are you sure you want to proceed? click Yes Click the Refresh button at the bottom until the Service Status is green Now go to Data Management – IPAM and place a checkmark next to a subnet or container and click edit On the left, find Discovery and click on it Click Enable Discovery and select the Discovery Member and select your Polling Options if you want to override the Grid set Polling Options and click Save & Close. How do you know its working? Click Data Management – Devices and you’ll start seeing this populate with discovered data. For each device that is discovered with SNMP credentials, you’ll see Interfaces, Networks, IP Addresses, Assets (all this data will automatically be associated with IPAM records).. so typically Data Management – Devices will show mainly discovered switches.
  22. I get the request all the time from other teams or application owners or security or someone that needs a large export from Infoblox. If its as simple as a domain, you browse to the domain and click export to CSV but if its multiple domains, sub-domains, networks, etc.. that's more difficult. In this example I had to export all our dns domains and records. Data Management - IPAM On the right in the toolbar click on CSV Job Manager Click the CSV Export on the left Click the boxes of the items you want in your CSV Export and uncheck the crap you don't want Click Export Data at the bottom and let it go. You can click Close in the bottom left (which Cancel turns into Close when the Export is running). You can come back to the CSV Export and you'll see completed or failed exports and you can download the results by clicking what is shown below
  23. Ran into an issue with a security audit being performed found that our NetMRI appliance has TFTP open and thats just no good so here is how you disable TFTP (block) since there is no way to turn off TFTP in NetMRI The attached diagnostics allow you to update the NetMRI appliance IP Tables (firewall) configuration to Reject and Accept tftp traffic. The diagnostics can be applied using the "diag <filename.gpg>" command from the NetMRI admin shell. EXAMPLE: EGserver001> diag IPTables-REJECT-TFTP.gpg +++ Processing Diagnostic File IPTables-REJECT-TFTP.gpg +++ Checking Digital Signature +++ Unpacking Diagnostic Directory ------------------------------------------------------------------------- DESCRIPTION: IPTables-REJECT-TFTP This diagnostic will change the TFTP PORT (port 69) from ACCEPT to REJECT IPTABLES will then be reloaded ------------------------------------------------------------------------- Do you want to execute this script? (n|y): y +++ Executing Diagnostic Script Legacy library ctime.pl will be removed from the Perl core distribution in the next major release. Please install it from the CPAN distribution Perl4::CoreLibs. It is being used at COMMON.pm, line 3. Legacy library ctime.pl will be removed from the Perl core distribution in the next major release. Please install it from the CPAN distribution Perl4::CoreLibs. It is being used at COMMON.pm, line 3. +++ Loading Server Configuration Version : 7.4.5.99860 SerialNo: 4850201603100009 Network : EventGuyZ *** Creating a backup of exiting IPTABLES Contents *** *** Modifying IPTABLES Contents *** patching file iptables Hunk #1 succeeded at 38 (offset -14 lines). *** Reloading IPTABLES Chains *** Redirecting to /bin/systemctl restart iptables.service *** Successfully modified IPTABLES and Reloaded IPTABLES Chains *** EGserver001> IPTables-ACCEPT-TFTP.gpg IPTables-REJECT-TFTP.gpg
  24. Here are some examples Create a network To create networks, use a POST request: curl -k1 -u admin:testpw -X POST https://192.168.1.2/wapi/v2.11.2/network \ -d network=10.1.0.0/16 The server returns a reference of the created network: "network/ZG5zLm5ldHdvcmskMTAuMS4wLjAvMTYvMA:10.1.0.0%2F16" To create another network, send another POST request: curl -k1 -u admin:testpw -X POST https://192.168.1.2/wapi/v2.11.2/network \ -d network=10.2.0.0/16 Read a network To verify that both networks have been created, send a GET request: curl -k1 -u admin:testpw -X GET https://192.168.1.2/wapi/v2.11.2/network The server returns a list with both networks: [ { "_ref": "network/ZG5zLm5ldHdvcmskMTAuMS4wLjAvMTYvMA:10.1.0.0%2F16", "network": "10.1.0.0/16", "network_view": "default" }, { "_ref": "network/ZG5zLm5ldHdvcmskMTAuMi4wLjAvMTYvMA:10.2.0.0%2F16", "network": "10.2.0.0/16", "network_view": "default" } ] Note that the returned references could be different in your installation. The sample code uses references returned in the above example. Depending on your installation, make sure that you use the references your server returns. Modify a network To modify a network, send a PUT request. Send the following to modify its comment: curl -k1 -u admin:testpw -X PUT \ https://192.168.1.2/wapi/v2.11.2/network/ZG5zLm5ldHdvcmskMTAuMS4wLjAvMTYvMA:\ 10.1.0.0%2F16 -d comment='Sample comment' The server still returns the network reference. Note that this could be different from before: "network/ZG5zLm5ldHdvcmskMTAuMS4wLjAvMTYvMA:10.1.0.0%2F16" Check that the network was modified, since comment is not a field that is returned by default add _return_fields to the GET request: curl -k1 -u admin:testpw -X GET https://192.168.1.2/wapi/v2.11.2/network \ -d _return_fields=network,network_view,comment Note that the 10.1.0.0/16 network has been modified: [ { "_ref": "network/ZG5zLm5ldHdvcmskMTAuMS4wLjAvMTYvMA:10.1.0.0%2F16", "comment": "Sample comment", "network": "10.1.0.0/16", "network_view": "default" }, { "_ref": "network/ZG5zLm5ldHdvcmskMTAuMi4wLjAvMTYvMA:10.2.0.0%2F16", "network": "10.2.0.0/16", "network_view": "default" } ] Search for a network To find networks with comments that contain the word sample in a case-insensitive way: curl -k1 -u admin:testpw -X GET https://192.168.1.2/wapi/v2.11.2/network \ -d comment~:=sample The server returns the network we just modified: [ { "_ref": "network/ZG5zLm5ldHdvcmskMTAuMS4wLjAvMTYvMA:10.1.0.0%2F16", "comment": "Sample comment", "network": "10.1.0.0/16", "network_view": "default" } ] If there is no match, the server returns an empty list: curl -k1 -u admin:testpw -X GET https://192.168.1.2/wapi/v2.11.2/network \ -d comment~:=nomatch The server returns the following: [] Delete a network To delete a network, send a DELETE request using a reference you have retrieved by searching. For example, to delete the networks we created above, send the following: curl -k1 -u admin:testpw -X DELETE \ https://192.168.1.2/wapi/v2.11.2/network/ZG5zLm5ldHdvcmskMTAuMS4wLjAvMTYvMA:\ 10.1.0.0%2F16 The server returns the reference of the object it just deleted, if the deletion was successful: "network/ZG5zLm5ldHdvcmskMTAuMS4wLjAvMTYvMA:10.1.0.0%2F16" To delete the other network, send the following: curl -k1 -u admin:testpw -X DELETE \ https://192.168.1.2/wapi/v2.11.2/network/ZG5zLm5ldHdvcmskMTAuMi4wLjAvMTYvMA:\ 10.2.0.0%2F16 Note that both networks have been removed: curl -k1 -u admin:testpw -X GET https://192.168.1.2/wapi/v2.11.2/network The server returns the following: [] Here are more examples: Using WAPI to with the Python “requests” module to search We are going to start off looking for all “networks” in Infoblox via WAPI. To do this, we will use the path of “/wapi/v2.10/network”. You can find more information about the Infoblox WAPI at “https://docs.infoblox.com“. The Infoblox API gives you many ways to search for data. In this article I will cover the following: – network – host We are going to start with looking for a network. Say I want to know if we have the network “10.10.0.0/24”. Let’s create a file named “get_network.py” and paste the code below into it: WAPI Searching for a Network 1 2 3 4 5 6 7 8 9 import requests import json requests.packages.urllib3.disable_warnings() url = "https://gm/wapi/v2.7/network?network=10.10.0.0/24" gm_user = 'admin' gm_pwd = 'infoblox' response = requests.get(url, verify=False, auth=(gm_user, gm_pwd)) networks = json.loads(response.text) print(networks) NOTES: https://gm - should be your Grid Master DNS Name gm_user = 'admin' - should be your username gm_pwd = 'infoblox' - should be your user password The above code is going to use the URI “/network” with an “=” to “10.10.0.0/24”, which is the network we are looking for in Infoblox. (Just in case you are looking for an IPv6 network, you will need to use /ipv6network instead of /network). We are going to take a look at the output: 1 2 3 4 5 [{ '_ref': 'network/ZG5zLm5ldHdvcmskMTAuMTAuMC4wLzI0LzA:10.10.0.0/24/default', 'network': '10.10.0.0/24', 'network_view': 'default' }] If you look at the above, you are only getting the default objects. “_ref” is one of the most important keys returned, as you need it if you want to “Update” the the object with Comments, EAs, a DHCP Scope, etc. Since, for now, we want to just display the “network” address that we searched for, let’s update “get_network.py” with the following code: 1 2 3 4 5 6 7 8 9 import requests import json requests.packages.urllib3.disable_warnings() url = "https://gm/wapi/v2.7/network?network=10.10.0.0/24" gm_user = 'admin' gm_pwd = 'infoblox' response = requests.get(url, verify=False, auth=(gm_user, gm_pwd)) networks = json.loads(response.text) print(networks[0]['network']) The reason for line 14 above (“networks[0][‘network’]), is that the Infoblox WAPI returns an “array”. So, in order to print it the network value, we have to use “networks[0][‘network’]” for the first object in the “networks” array that JSON returns. 1 2 python get_networks.py 10.10.0.0/24 WAPI Searching for a Host Let’s say you know the hostname for an object, but not the IP address. Now we are going to use ‘record:host‘ for this search, which will be very similar to the API call above. Let’s get started. Host A host record defines attributes for a node, such as the name-to-address and address-to-name mapping. This alleviates having to specify an A record and a PTR record separately for the same node. A host can also define aliases and DHCP fixed address nodes. The zone must be created first before adding a host record for the zone. We are going to search for my ‘Grid Master’, which has the ‘host’ name of ‘gm.lab.local’. Let’s follow the code below: 1 2 3 4 5 6 7 8 9 import requests import json requests.packages.urllib3.disable_warnings() url = "https://gm/wapi/v2.7/record:host?name=gm.lab.local" gm_user = 'admin' gm_pwd = 'infoblox' response = requests.get(url, verify=False, auth=(gm_user, gm_pwd)) networks = json.loads(response.text) print(response.text) Now let’s take a look at the output: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 [ { "_ref": "record:host/ZG5zLmhvc3QkLl9kZWZhdWx0LmxvY2FsLmxhYi5nbQ:gm.lab.local/default", "ipv4addrs": [ { "_ref": "record:host_ipv4addr/ZG5zLmhvc3RfYWRkcmVzcyQuX2RlZmF1bHQubG9jYWwubGFiLmdtLjE5Mi4xNjguMC4yMDAu:192.168.0.200/gm.lab.local/default", "configure_for_dhcp": false, "host": "gm.lab.local", "ipv4addr": "192.168.0.200" } ], "name": "gm.lab.local", "view": "default" } ] That’s a lot of stuff to process, so let’s break it down. You get back a list with an array of ‘ipv4addrs’, so we can see the ipv4addr associated with the host name. If we just want to print the hostname and IP address, we have to create a foreach loop. Let’s modify ‘get_host.py’ to do just that: 1 2 3 4 5 6 7 8 9 10 11 import requests import json requests.packages.urllib3.disable_warnings() url = "https://gm/wapi/v2.7/record:host?name=gm.lab.local" gm_user = 'admin' gm_pwd = 'infoblox' response = requests.get(url, verify=False, auth=(gm_user, gm_pwd)) hosts = json.loads(response.text) for host in hosts: for ip in host['ipv4addrs']: print(f"{ip['host']} IP address is {ip['ipv4addr']}") Here is what the output looks like: 1 2 python get_host.py gm.lab.local IP address is 192.168.0.200 Infoblox Client searching for a “network” Now we are going to look for the same network as above (10.10.0.0/24) using the Python module “infoblox-client”. We are going to create a new script with the following called “get_network_client.py”: 1 2 3 4 5 6 7 8 9 10 from infoblox_client import objects from infoblox_client import connector import urllib3 urllib3.disable_warnings() opts = {'host': '192.168.0.200', 'username': 'admin', 'password': 'infoblox'} conn = connector.Connector(opts) networks = conn.get_object('network', {'network': '10.10.0.0/24', 'network_view': 'default'}) print(networks) Let’s run the above and take a look at the results: 1 2 python3 get_network_client.py [{'_ref': 'network/ZG5zLm5ldHdvcmskMTAuMTAuMC4wLzI0LzA:10.10.0.0/24/default', 'comment': 'Testing Lab', 'network': '10.10.0.0/24', 'network_view': 'default'}] Of course, that’s not formatted in a way that’s easy to read, so just like our last blog post, we are going to loop over the information and print out just the network “10.10.0.0/24” Let’s modify “get_network_client.py” as below, removing the raw “print” statement for the array and adding a “for” loop to print out just the network(s): 1 2 3 4 5 6 7 8 9 10 11 from infoblox_client import objects from infoblox_client import connector import urllib3 urllib3.disable_warnings() opts = {'host': '192.168.0.200', 'username': 'admin', 'password': 'infoblox'} conn = connector.Connector(opts) networks = conn.get_object('network', {'network': '10.10.0.0/24', 'network_view': 'default'}) for network in networks: print(network['network']) Let’s take a look at the results: 1 2 python3 get_network_client.py 10.10.0.0/24 As you can see above, we just print out the network, but let’s say we also wanted print the “Network View” as well. To do so, you can simply add “network[‘network_view’]” next to “network[‘network’]” in the print statement within the “for” loop. Infoblox_client Searching for a Host For this example, we are going to search for “gm.lab.local” using the infoblox_client module. Just like the WAPI example, let’s create a new file called “get_host_client.py”: 1 2 3 4 5 6 7 8 9 10 from infoblox_client import objects from infoblox_client import connector import urllib3 urllib3.disable_warnings() opts = {'host': '192.168.0.200', 'username': 'admin', 'password': 'infoblox'} conn = connector.Connector(opts) hosts = conn.get_object('record:host', {'name': 'gm.lab.local'}) print(hosts) Let’s run the script and look at the output: 1 2 python3 get_host_client.py [{'_ref': 'record:host/ZG5zLmhvc3QkLl9kZWZhdWx0LmxvY2FsLmxhYi5nbQ:gm.lab.local/default', 'ipv4addrs': [{'_ref': 'record:host_ipv4addr/ZG5zLmhvc3RfYWRkcmVzcyQuX2RlZmF1bHQubG9jYWwubGFiLmdtLjE5Mi4xNjguMC4yMDAu:192.168.0.200/gm.lab.local/default', 'configure_for_dhcp': False, 'host': 'gm.lab.local', 'ipv4addr': '192.168.0.200'}], 'name': 'gm.lab.local', 'view': 'default'}] Ok, so let’s clean up the output and print just the name and the IP address. We are going to use very similar code to our WAPI example: 1 2 3 4 5 6 7 8 9 10 11 12 from infoblox_client import objects from infoblox_client import connector import urllib3 urllib3.disable_warnings() opts = {'host': '192.168.0.200', 'username': 'admin', 'password': 'infoblox'} conn = connector.Connector(opts) hosts = conn.get_object('record:host', {'name': 'gm.lab.local'}) for host in hosts: for ip in host['ipv4addrs']: print(f"{ip['host']} IP address is {ip['ipv4addr']}") WOW! If you think that most of that code looks exactly like the WAPI code, with the “for” loop, that’s because the “infoblox-client” and WAPI calls return the exact same JSON data. 1 2 python3 get_host_client.py gm.lab.local IP address is 192.168.0.200 Exactly the same output as the WAPI version
  25. dnspython provides a detailed interface into DNS. In its simplest form, it’s possible to perform queries in only a couple of lines of code. Here’s a commented example: import dns.resolver #import the module myResolver = dns.resolver.Resolver() #create a new instance named 'myResolver' myAnswers = myResolver.query("google.com", "A") #Lookup the 'A' record(s) for google.com for rdata in myAnswers: #for each response print rdata #print the data The results in my case are: 173.194.125.3 173.194.125.7 173.194.125.4 173.194.125.8 173.194.125.9 173.194.125.5 173.194.125.2 173.194.125.0 173.194.125.6 173.194.125.1 173.194.125.14 In the same way, we can perform MX and NS queries with: myAnswers = myResolver.query("google.com", "MX") and myAnswers = myResolver.query("google.com", "NS") We can easily look up TXT records, which will contain SPF records for a domain if present: myAnswers = myResolver.query("iodigitalsec.com", "TXT") Which results in: "v=spf1 mx a ptr ip4:148.251.196.144/28 ip4:85.10.227.160/28 ip4:85.10.227.160/28 ~all" These are some of the more common types, however DNS is an expansive protocol and further information on query types can be found here. When it comes to reverse DNS (IP to hostname), it’s not as simple as performing an A record lookup on the IP address. We need to perform a PTR lookup instead, but not just on the IP address. The IP needs to be reversed, and have “.in-addr.arpa” appended to it. To resolve the IP 173.194.125.3 to a hostname, we use the code: myAnswers = myResolver.query("3.125.194.174.in-addr.arpa", "PTR") We can handle the crafting of the request programatically as follows: ip = "173.194.125.3" req = '.'.join(reversed(ip.split("."))) + ".in-addr.arpa" myAnswers = myResolver.query(req, "PTR") The DNS resolver also gives us the option of specifying our own nameservers. This can be achieved by using: myResolver = dns.resolver.Resolver() myResolver.nameservers = ['8.8.8.8', '8.8.4.4'] Including an error catch, we can put the whole thing together with: import dns.resolver myResolver = dns.resolver.Resolver() myResolver.nameservers = ['8.8.8.8', '8.8.4.4'] try: myAnswers = myResolver.query("google.com", "A") for rdata in myAnswers: print rdata except: print "Query failed" Now try and put together an application that performs command line DNS queries, i.e.: ./pydnslookup.py A google.com ./pydnslookup.py MX msn.com ./pydnslookup.py PTR 8.8.8.8
  26. Many many people/apps still rely on short names (hostname1) instead of the FQDN (hostname1.thezah.com) Obviously DNS doesn't know what to do with hostname1 so on LInux it will look in either one of two places for a search suffix (what to append to the end of that shortname) /etc/resolv.conf # internal dns servers nameserver 1.2.3.4 nameserver 4.3.2.1 search thezah.com sub.thezah.com eventguyz.com sub.eventguyz.com OR it can be done on the interface level at /etc/network/interfaces since /etc/resolv.conf gets overridden auto eth0 iface eth0 inet static address 10.11.12.50 netmask 255.255.255.0 gateway 10.11.12.1 dns-nameservers 1.2.3.4 4.3.2.1 dns-search thezah.com sub.thezah.com eventguyz.com sub.eventguyz.com So now when you query hostname1 it will then try hostname1.thezah.com, then hostname1.sub.thezah.com (Always start with a more current domain on the left and work towards older, not so common domains it could be in at the right)
  27.  
×
×
  • Create New...