Versions Compared

Version Old Version 1 New Version Current
Changes made by

Shwetha S

Naveen J Oommen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The software-based DNS acceleration feature supports IB-FLEX and non-IB-FLEX (IB-2215, IB-2225, IB-V2215, IB-V2225, IB-4015, IB-4025, IB-V4015, and IB-V4025) platforms. When you enable the virtual DNS cache acceleration feature on IB-Flex and non IB-Flex appliances, it acts as a high-speed DNS caching-only name server. This feature provides DNS cache acceleration support for recursive UDP DNS queries.

...

Features

IB-FLEX

IB-2215

IB-2225

IB-v2215

IB-v2225

IB-4015

IB-4025

IB-v4015

IB-v4025

Tiered licensing

Licensing is based on the Flex Grid Activation license on the Grid. Note that the queries per second are limited by the number of CPUs for IB-FLEX.

IB-40x5 appliances support four tiers of DNS QPS and the QPS levels are enforced by rate limiting 

RPZ

Yes, the maximum cache lifetime for DNS cache acceleration is set to 300 seconds if RPZ zones are configured for the member.

Yes, the maximum cache lifetime for DNS cache acceleration is set to 300 seconds if the RPZ license is installed.

Caching (A, AAAA, MX, CNAME, PTR)

Yes

Yes

Do not cache (EDNS, TCP, Any, TSIG)

Yes

Yes

Caching over additional interfaces (v4, v6)

Yes

Yes

Dump Acceleration Cache (CLI, GUI, PAPI)

Yes

Yes

Clear Acceleration Cache (CLI, GUI, PAPI)

Yes

Yes

Cache pre-fetch and cache refresh

Yes

Yes

ACLs (Allow-queries/Responses, Match-Clients/Destination, Blackhole)

Yes

Yes

AAAA Filtering (Bypassed but support configuring)

Yes

Yes

Fixed RRSET ordering

Yes

Yes

DNS64

Yes

Yes

DNS monitoring feature (netmon)

Yes

Yes

DNS Query logging (BIND only)

Yes

Yes

DNS Views

Yes, it supports up to six DNS views.

Yes, it supports up to six DNS views.

Forward/Stub zones

Yes

Yes

Unbound as DNS resolver

Yes, unbound is supported through the Flex Grid Activation license.

Yes, unbound is supported if the Dual Engine DNS license is installed.

DNS cache acceleration related restrictions for configuration

Yes, for NIOS version 8.2.0, restrictions are enforced based on whether the DNS cache acceleration feature is enabled or disabled.

No

Reporting

Yes, for more information Reports for IB-FLEX, see About IB-FLEX.

Yes

VLAN

Yes

Yes

DSCP

No, Infoblox does not support DSCP for virtual appliances.

Infoblox does not support DSCP for physical or virtual appliances only if DCA is enabled.

Sort list

Yes

Yes

Anycast (OSPF and BGP)

Yes

Yes

BFD (Bidirectional Forwarding Detection)

Yes

Supported on all appliances

HA Support

Yes, only for non-SRIOV.

Yes

NIC Bonding

Yes

Yes

Multiple-Interfaces on the same subnet

No

No

IP Rate-limit and Response logging

No

No

EDNS Client Subnet support

No

No

NXDomain-redirection

Yes

Ye

DNSSEC (Bypassed but support configuring)

Yes

Yes

Debug enhancements

Yes

Yes

SNMP Support for DCA service-related traps

Yes

Yes

SNMP stats support for DNS QPS and CHR

Yes

Yes

NX Mitigation

No

No

NetFilter (Tracking tables)

No

Not supported on any appliance

Traffic-capture (All modes)

Yes, there is partial support. Note that tcpdump captures both queries and responses.

Yes, there is partial support. Note that tcpdump captures both queries and responses.

No flush-mode support for DNS cache acceleration cache

Yes

Yes

Per-interface UDP DNS cache acceleration response counters

Yes

Yes

CLI commands

You can use the commands set dns-accel and show dns-accel to view and set DNS cache acceleration information. For more information, see CLI Commands.

You can use the commands set dns-accel and show dns-accel to view and set DNS cache acceleration information. For more information, see CLI Commands.

DNS Query rewrite (Bypassed but supports configuring)

No

No

Threat Protection

Supported on IB-FLEX platforms. Allows enabling Software ADP and DNS cache acceleration simultaneously on IB-FLEX platforms.

Supported on IB-FLEX platforms. Allows enabling Software ADP and DNS cache acceleration simultaneously.

Subscriber Secure Policy 

Yes

Yes

...

Note

Note

By default, all malformed packets are dropped early when the accelerated threat protection service is enabled.

Viewing Accelerated Cache Details

When you view cached contents of the DNS accelerator through the Grid Manager, there might be a slight impact on the DNS query performance of the selected member.

To view accelerated cache from the Grid Manager:

...

When you enable the DNS cache acceleration feature on IB-FLEX, ensure that it has enough CPU and memory to start the service, and that it does not contain any authoritative zones. Note that you cannot start the service if the total CPU is less than 8 cores or if memory is less than 12G. To start the service, see the number of mandatory resources mentioned in the Total Resource Usage for Different Use Cases table.

If the DNS cache acceleration feature is enabled on a pre-provisioned member and fails to start due to insufficient resources on the member, the DCA status is displayed as failed. If you disable DCA on a member with insufficient resources, the member is not displayed in the DCA -> Members tab.

Note

Note

  • Under certain circumstances, the DNS cache acceleration feature may not function normally when you perform a product restart. This happens due to increased resource allocation on the virtual machine and the appliance does not log any entries in the syslog. Infoblox recommends that you restart or reboot the system and free up server resources if you encounter this issue.

  • Before enabling DNS Cache Acceleration or ADP on virtual platforms, ensure that the ssse3, sse4_1, and sse4_2 CPU flags are set on the host server. For more information, see https://help.ubuntu.com/lts/serverguide/DPDK.html.en

  • If you see the "/usr/bin/fast-path.sh: error starting /usr/bin/fp-rte. Check logs for details" error message in the infoblox.log file, ensure that the ssse3, sse4_1, and sse4_2 flags are set for the VM.

...