Versions Compared

Old Version 29

changes.mady.by.user Shirly Tsang

Saved on

compared with

New Version 30

changes.mady.by.user Shirly Tsang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If your network infrastructure consists of an on-prem Infoblox Grid, you can select any Grid member to function as a DNS forwarder. Ensure that you configure your firewall to allow that Grid member to communicate with external DNS servers and enable DNS recursion on the member.

...

Warning

Warning
On the host, if you have configured delegations in your subzones, ensure that you select the Don't use forwarders to resolve queries in subzones check box when you configure the parent’s authoritative zone properties. Otherwise, delegations will not function properly. Because forwarding has precedence over delegation, the query will be sent to the BloxOne Cloud instead of the delegated servers. For information about how to configure authoritative zone properties, see Configuring Authoritative Zone Properties. For information about delegations, see About Authority Delegation.


Note
titleNote

If the initial query resolves to a CNAME, then BIND will resolve the CNAME again. At this point, if the CNAME gets a hit on the security policy, then it responds based on the security action assigned to it. This is the default behavior for DFP on NIOS and Host with DFP+DNS enabled on it.

...

To enable recursion on the Grid or member in NIOS 8.5, see Enabling Recursive Queries in NIOS 8.5.

DNS Fallback

Infoblox strongly recommends that you configure DNS fallback. For information, see Using DNS Fallback.

Deployment of Multiple DFPs

...

To see the end client IP address in the DFP reports, make sure that Add client IP, MAC addresses, and DNS View name to outgoing recursive queries and Copy client IP, MAC addresses,and DNS View name to outgoing recursive queries is checked depending on the DNS infrastructure. For information, see Using Forwarders in the NIOS 9.0 documentation.

Note
titleNote

In some scenarios the end client IP address may not be visible. For example, when Fault Tolerant Caching is enabled in NIOS or in Prefetch query.


DNSSEC

DFP does not work with DNSSEC in case a request was redirected by BloxOne Threat Defense.

If you are running DFP on NIOS, you must disable DNSSEC validation. DNSSEC validation is performed by BloxOne Threat Defense, regardless if the query comes from a DFP on NIOS, BloxOne DDI, standalone source or a BloxOne Threat Defense endpoint, or if the query is forwarded from a third party DNS server. Even if you disable DNSSEC validation, validation still takes place through BloxOne Threat Defense. For more information, see Using Forwarders

To enable DFP to work with DNSSEC in case a request was redirected by BloxOne Threat Defense, see Enabling DNS Forwarding Proxy to Work with DNSSEC.