BloxOne Endpoint bypass in combination with FQDN and a probe token, are used by BloxOne Endpoint to identify that Endpoint is on-prem and is following the configured on-prem policies. To verify BloxOne Threat Defense probe responses, BloxOne Endpoint periodically sends DNS queries from a non-resolvable probe domain to default resolvers to avoid the possibility of “spoofed” responses. In cases where a domain is not expected to resolve, then any subdomains of the domain will also not resolve. For instance, if some-domain.com is configured as a probe domain, then mail.some-domain.com would also not resolve.

...

Manual mode is intended for use in specific environments (NIOS), where DFP is not in use in the network, or where DFP already exists elsewhere in the network and predefined probe domain and response are to be custom configured.

Enabling Probe Requests by Adding Protected Bypass Mode to a BloxOne Endpoint Group                             

When applying security policies to multiple BloxOne Endpoint devices, you can make the process more efficient by organizing the endpoint devices into BloxOne Endpoint groups, and then add the groups to the network scope when you create a security policy. Note that BloxOne comes with a default endpoint group called All BloxOne Endpoints (default) that is associated with the default global policy. You cannot modify or remove the default endpoint group.

...

1. From the Cloud Services Portal, click Manage > Endpoints.

2. On the Endpoints page, select the Endpoint Groups tab, and then click the Add button. Do note that at least one BloxOne Endpoint must be added to the configuration prior to configuring and enabling protected bypass mode.
   

3. In the Bypass Mode section of the Create Endpoint Group page, complete the following:
   

   1. State: Enable protected bypass mode from its default disabled state by switching the toggle from Disabled to Enable.
   2. FQDN: The default probe domain is probe.infoblox.com. You can choose to accept the default or create your own FQDN based on your requirements. If you choose to use a custom probe domain, ensure that it can be resolved with a custom TXT record.

   3. TXT Record: You can choose to accept the default TXT record, generate a random TXT record by clicking Generate random TXT Record, or apply a custom TXT record. To avoid conflict between two TXT records, Infoblox recommends that you define a custom probe domain and a custom TXT record instead of using the provided defaults. Ensure that the custom probe domain can be resolved based on the information in the custom TXT record.
      

4. Click Save & Close to create the endpoint group or click Cancel to return to the BloxOne Endpoint Group page without enabling protected bypass mode and probing.

Enabling BloxOne Endpoint Protected Bypass Mode on Windows Devices Enabled by Default

By default, Windows devices come with Smart Multi-Homed Name Resolution (SMHN) enabled. This causes DNS requests to be sent across all network interfaces. When a VPN connection is established, it allows all connected devices to resolve TXT records. For effective internal network detection, it is necessary to disable SMHN on Windows laptops. This can be achieved either automatically through the VPN software or manually via group policy settings. If the VPN client does not automatically disable SMHN upon connection, administrators should manually disable it using group policy configurations. For information on configuring the group policy, see Creating Endpoint Groups. 

Disabling Probing Requests

Probing requests can be discontinued by disabling Bypass mode. To disable probing requests, complete the following:

...