If your network infrastructure consists of an on-prem Infoblox Grid, you can select any Grid member to function as a DNS forwarder. Ensure that you configure your firewall to allow that Grid member to communicate with external DNS servers and enable DNS recursion on the member.
...
Warning |
---|
Warning |
...
. |
Note | ||
---|---|---|
| ||
If the initial query resolves to a CNAME, then BIND will resolve the CNAME again. At this point, if the CNAME gets a hit on the security policy, then it responds based on the security action assigned to it. This is the default behavior for DFP on NIOS and Host with DFP+DNS enabled on it. |
...
To enable recursion on the Grid or member in NIOS 8.5, see Enabling Recursive Queries in NIOS 8.5.
DNS Fallback
Infoblox strongly recommends that you configure DNS fallback. For information, see Using DNS Fallback.
Deployment of Multiple DFPs
...
Note | ||
---|---|---|
| ||
In some scenarios the end client IP address may not be visible. For example, when Fault Tolerant Caching is enabled in NIOS or in Prefetch query. |
DNSSEC
DFP does not work with DNSSEC in case a request was redirected by BloxOne Threat Defense.
If you are running DFP on NIOS, you must disable DNSSEC validation. DNSSEC validation is performed by BloxOne Threat Defense, regardless if the query comes from a DFP on NIOS, BloxOne DDI, standalone source or a BloxOne Threat Defense endpoint, or if the query is forwarded from a third party DNS server. Even if you disable DNSSEC validation, validation still takes place through BloxOne Threat Defense. For more information, see Using Forwarders.
To enable DFP to work with DNSSEC in case a request was redirected by BloxOne Threat Defense, see Enabling DNS Forwarding Proxy to Work with DNSSEC.