Versions Compared

Old Version 1

changes.mady.by.user Panna .

Saved on

compared with

New Version 2

changes.mady.by.user Jyothi KP

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IB-FLEX Flavor ConfigurationTotal CPUTotal System Memory in GB (With virtual DNS Cache Acceleration only)Total System Memory in GB (With virtual DNS Cache Acceleration and virtual Advanced DNS Protection Software)Maximum Number of Concurrent Sessions SupportedGrid Master Capable

Medium
recursive DNS (with acceleration)

16

64

64

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

No

Medium-Large
recursive DNS (with acceleration)

16

86

86

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

No

Large
recursive DNS (with acceleration)

26

100

100

For vDCA only: 240,000

For vADP only: 80,000

For vDCA and vADP: 240,000

No


Note
titleNote

When a NIOS appliance does not have the required base memory configuration, if you try to enable and run DNS over TLS, DNS over HTTPS, and Parental Control features simultaneously, all of these features will be disabled.

Supported Cipher Suites

DNS over TLS and DNS over HTTPS features support cipher suites that are supported by TLS 1.2 and TLS 1.3. The cipher suite order preference is configured to improve the throughput in DNS over TLS and DNS over HTTPS communication.

...

  • If an appliance configured with DNS over TLS or DNS over HTTPS has both vDCA and vADP running, the configuration is set to the DCA-first mode.
  • TSIG queries for which responses are larger than the max EDNS/UDP buffer size are not supported.
  • DNS queries coming with EDNS padding over port 53 are dropped.
  • DNS over TLS and DNS over HTTPS features are not supported on unbound-based DNS servers.
  • When DNS over TLS or DNS over HTTPS is enabled, queries decrypted at DNS over TLS or DNS over HTTPS that do not receive a response from the vDCA cache are forwarded to the recursive DNS engine over UDP. Therefore, rules added for TCP requests over TLS or HTTPS may not be honored. Infoblox recommends that you add the corresponding UDP-specific rules instead of only the TCP request rules.
  • For NIOS 8.5.2 only: Infoblox recommends that you manually set the maximum packet size of both the UDP buffer and the EDNS buffer to 4096 bytes. If the packet size exceeds 4096, packets are dropped by the DNS over TLS or the DNS over HTTPS server. For more information about setting buffer sizes, see Configuring the EDNS0 Buffer Size and UDP Buffer Size.
  • DNS over TLS only:
    • The TLS versions that are currently supported by NIOS are TLS 1.2 and TLS 1.3.
    • DNS over TLS supports queries and responses from both DNS and DNS Cache Acceleration services.
    • DNS over TLS is not supported for recursive queries when performing upstream lookups.
    • DNS zone transfer requests over DNS over TLS are not supported.
    • For DNS over TLS clients that use systemd-resolved service, the Subject Alternative Name (SAN) must point to the IP address of the DNS service. By default, the self-signed certificates issued to Infoblox members do not meet this requirement. Therefore, for Infoblox to support systemd-resolved, you must install certificates that include SAN IP address from a trusted certificate authority.
  • DNS over HTTPS only:
    • DNS over HTTPS is supported on the HTTP/2 protocol.
    • DNS over HTTPS is supported only if the NIOS appliance has an MGMT interface set up. The DNS over HTTPS module listens on port 443 for interfaces other than MGMT and any incoming UI request to the MGMT interface is bypassed directly to the host.
    • When DNS over HTTPS is enabled on a member, HTTP redirection from the member to its Grid Master is disabled.

...

  • Either the accelerated DNS Cache Acceleration (vDCA) or the Advanced DNS Protection Software (vADP) service is enabled.
  • The memory required to support the DNS over TLS feature is available. For more information, see 26482011the Base Configuration Requirements section.

Configuring DNS over TLS

...

  1. Grid member: On the Data Management tab, click the DNS tab -> Members tab, select the member checkbox, and then click the Edit icon.
    Standalone system: On the Data Management tab, click the DNS tab, expand the Toolbar, and then click System DNS Properties.
  2. In the Member DNS Properties editor/System DNS Properties editor, click Toggle Advanced Mode if the editor is in basic mode.

  3. On the Queries tab -> Advanced tab, select the Enable DoT Service checkbox to enable the DNS over TLS feature.

    Notetitle


    Note

    The

    that the options for DNS over TLS feature are displayed only if the appliance has the memory footprint that is required to support the feature and has the DNS Cache Acceleration or Advanced DNS Protection Software license installed. For more information, see 

    26482011

    the Base Configuration Requirements section.

  4. In the Maximum Session Timeout field, specify the maximum time in seconds a session can remain idle before it times out and closes. The default value is 60 seconds.
    If your DNS forwarders are located at different geographical locations or if the network latency is high, you may observe session timeouts. If so, Infoblox recommends that you set the Maximum Session Timeout to more than 60 seconds. Increasing the session duration may impact concurrent open sessions.
  5. Save the configuration.

  6. As prompted, manually reboot the member to enable the DNS over TLS feature.

Note
titleNote

The DNS over TLS feature will not take effect until you rebootthe member or the standalone system and ensure that either the DNS Cache Acceleration or Advanced DNS Protection Software service is running after the reboot.

CLI Support for DNS over TLS

You can view the status of the DNS over TLS service, configuration, and details of active sessions using the following commands:

DNS over HTTPS

NIOS appliances that support DNS Cache Acceleration or Advanced DNS Protection Software, include the DNS over HTTPS capability that helps increase DNS security and privacy. When you enable the DNS over HTTPS feature, DNS traffic is encrypted through the HTTPS protocol to prevent eavesdropping and tampering of DNS data. This feature is supported on both recursive and authoritative DNS servers only through port 443. It is available only for Grid members and standalone systems. The feature supports the processing of multiple DNS queries/responses over a single TCP session.

...

  • An MGMT interface is set up.
  • The memory required to support the DNS over HTTPS feature is available. For more information, see 26482011see the Base Configuration Requirements section.
  • Either the accelerated DNS Cache Acceleration (vDCA) or the Advanced DNS Protection Software (vADP) service is enabled.

...

  1. Grid member: On the Data Management tab, click the DNS tab -> Members tab, select the member checkbox, and then click the Edit icon.
    Standalone system: On the Data Management tab, click the DNS tab, expand the Toolbar, and then click System DNS Properties.
  2. In the Member DNS Properties editor/System DNS Properties editor, click Toggle Advanced Mode if the editor is in basic mode.

  3. On the Queries tab -> Advanced tab, select the Enable DoH Service checkbox to enable the DNS over HTTPS feature.

    Notetitle


    Note

    The options

    that the options for DNS over HTTPS feature are displayed only if the appliance has the memory footprint that is required to support the feature and has the DNS Cache Acceleration or Advanced DNS Protection Software license installed. For more information, see

    26482011

    the the Base Configuration Requirements section.

  4. In the Maximum Session Timeout field, specify the maximum time in seconds a session can remain idle before it times out and closes. The default value is 10 seconds.
    If your DNS forwarders are located at different geographical locations or if the network latency is high, you may observe session timeouts. If so, Infoblox recommends that you set the Maximum Session Timeout to more than 10 seconds. Increasing the session duration may impact concurrent open sessions.
  5. Save the configuration.
  6. As prompted, manually reboot the member to enable the DNS over HTTPS feature.
Note
titleNote

The DNS over HTTPS feature will not take effect unless you rebootthe member or the standalone system and ensure that either the DNS Cache Acceleration or Advanced DNS Protection Software service is running after the reboot.

Configuring DNS over HTTPS in Firefox

...

Note
titleNote

For a member with the DNS Cache Acceleration service running and the DNS over HTTPS feature enabled, if you use the developer version of the Firefox browser (configured for DNS over HTTPS support) to initiate DNS queries, you must set the network.trr.disable-ECS preference in the configuration editor (about:config) to false for DNS data to be cached. DNS caching does not work if network.trr.disable-ECS is set to true.

CLI Support for DNS over HTTPS

You can view the status of the DNS over HTTPS service, configuration, and details of active sessions using the following commands: