Versions Compared

Old Version 31

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version 32

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Depending on your network requirements, you can forward your DNS traffic while configuring external networks. By designating a DNS server as a forwarder, that server is responsible for all external DNS resolution and can build up a cache of external addresses, thus reducing the need to query recursive resolvers and cutting down DNS traffic.

When you set up external networks for DNS protection, you can use Infoblox-provided anycast IP addresses to configure DNS forwarding for the following. 

  • NIOS forwarders

  • Third-party DNS servers

For additional information, see the following topics on this page.

Allowing Redirect IP Addresses

Note
title

Note

When redirect rules are configured, redirect IP addresses must be allowed to ensure connectivity to redirect servers. See the end client/redirect IP information here.   


The following table lists the protocol/port required and required and the list of specific IP addresses that must be allowed in the firewall to ensure the proper functioning of redirect rules.    

Protocol/Port

Destination IPs

Description

TCP 443 or 80

Redirect IPs:

For IPv4:

    3.215.231.251

    3.216.243.225

    35.168.95.233

    54.173.31.46

    3.220.140.235

For IPv6:

2600:1f18:1043:dc00:8083:68e:ef0f:46de

2600:1f18:1043:dc02:ed26:448b:247:90c9

2600:1f18:1043:dc00:a339:63ac:4c02:9531

2600:1f18:1043:dc00:5ee5:908d:8892:f214

2600:1f18:1043:dc02:be4:9bb:7833:d9d4

A client/end user should be connecting to the redirect server.

Firewall Port Usage for DNS Forwarding Servers

The following table lists the firewall port that you should open on your DNS forwarding servers. DNS forwarding might not function properly if you do not follow the port usage guidelines.

Protocol/Port

Usage

Description

UDP/TCP 53

Access to the configured forwarders

You must open UDP/TCP port 53 to allow access from the forwarding server to the configured forwarders.

DNS Forwarding Using Anycast Addresses

When configuring external networks, Infoblox recommends that you add the following four anycast IPs (provided by BloxOne) to your DNS server for DNS forwarding.

  • 52.119.41.100

  • 52.119.40.100

  • 103.80.6.100

  • 103.80.5.100

The 52.119.41.100 and 103.80.6.100 addresses are provisioned under AWS Anycast, so a DNS client can connect to the nearest AWS entry location. Once a connection is established, the client is routed via AWS to the nearest PoP (Point of Presence). If the nearest PoP is not reachable, the client is forwarded to another PoP based on the rules described in the first bullet.

The 52.119.40.100 and 103.80.5.100 addresses are routed using Anycast only, and they use a different architecture so the traffic is routed via third-party networks to a PoP. 

For information, see Forwarding DNS Traffic to BloxOne Cloud

...

For detailed information on how to configure forwarders on NIOS, see Using Forwarders.

DNS Forwarding on Third-Party DNS Servers

In addition to using the Infoblox-provided anycast addresses, you can also use the following methods to forward DNS traffic. Limitations using this method of configuration for third-party DNS servers include there being no end client visibility if the third-party DNS server does not have the EDNS option enabled. 

Unbound DNS Resolvers

If you use Unbound as the DNS resolver, you can make some modifications in your DNS configuration file to configure your DNS forwarders to use the BloxOne Cloud name server IP.Use the following example as a reference when modifying your DNS configuration file:

Code Block
forward-zone:
        name: "."
        forward-addr: 52.119.40.100
        forward-addr: 52.119.41.100


BIND DNS Resolvers

If you use BIND as the DNS resolver, you can make some modifications in your DNS configuration file to configure your DNS forwarders to use the BloxOne Cloud name server IP.

Use the following example as a reference when modifying your DNS configuration file:

Code Block
options {
        forward only;
        forwarders {52.119.40.100;52.119.41.100;};
        }

Microsoft DNS Resolvers

If you use Microsoft servers as the DNS resolvers, you can configure the Microsoft forwarder to use the BloxOne Cloud name server IP through the Windows interface.

To configure a Microsoft DNS forwarder:

  1. On your Microsoft Windows server, open DNS Manager.

  2. In the console tree, click the applicable DNS server from DNS/Applicable DNS server.

  3. On the Action menu, click Properties.

  4. On the Forwarders tab, click Edit.

...

  1. Image Added

    ImageA window from the "DNS Manager", which is a tool typically used to configure and manage DNS services on a network.

   5. Enter the IP address of one or more forwarders, and then click OK. For BloxOne Threat Defense global IPv4 DNS Anycast addresses see Forwarding DNS Traffic to BloxOne Cloud.

For more information about configuring a Microsoft DNS server to use forwarders, refer tohttps://technet.microsoft.com/en-us/library/cc754941(v=ws.11).aspx.

Microsoft Azure Vnet

For workloads running in Microsoft Azure, you can configure an Azure Virtual Network (VNet) to use BloxOne Cloud as a custom DNS server.

Note

To apply security policies and protect DNS traffic from your VNet, you must register one or more source IPs in BloxOne, as an external network. For details, see Configuring External Networks.

To ensure that the source address is consistent, the configuration example on this page relies on a VNet using a NAT Gateway. For information on configuring a VNet with a NAT Gateway, see Microsoft’s Virtual Network NAT documentation.

To configure custom DNS servers for a VNet:

  1. In the Azure Portal, navigate to the applicable VNet.

  2. On the VNet page, select DNS servers from the menu.

...

  1. Image Added

    Image:

...

  1.   The Microsoft Azure portal interface showing the DNS servers configuration for a virtual network named "central-vnet".

  2. Select the radio button for Custom.

  3. Enter the IP address of one or more forwarders, and then click OK. For BloxOne Threat Defense global IPv4 DNS Anycast addresses, seeForwarding DNS Traffic to BloxOne Cloud.

  4. Save this configuration.

    To find the public IP of a NAT Gateway that you would like to register as an external network:

  5. In the Azure Portal, navigate to the applicable NAT Gateway.

  6. On the NAT Gateway page, select Outbound IP from the menu.

...

  1. Image Added

    Image:

...

  1.   The Microsoft Azure portal, specifically focusing on the "Outbound IP" configuration for an entity named "central-natgw", which is a NAT (Network Address Translation) gateway.

  2. Copy and save the IP addresses shown.

AWS Route 53

Creating a Route 53 Outbound Endpoint

In order to forward DNS traffic from an AWS VPC, you must create an Outbound Endpoint. An outbound endpoint is an AWS feature that allows DNS traffic from a VPC to be forwarded to an IP or Domain. To create an Outbound Endpoint, perform the following steps:

  1. Log in to your AWS Once logged in, input Route53 into the search bar located at the top of the AWS interface.

...

  1. Image Added


    Image: The AWS Management Console.

  2. Click on Route 53 in the list of side menu options. 

...

  1. The Route 33 side menu option.Image Added


    Image: The Route 33 side menu option.

  2. In the Route 53 navigation pane, click Outbound endpoints located under the Resolver.
    The Route 33 menu.Image Modified
    Image:  The Route 33 menu.

  3. On the Outbound endpoints page, click Create outbound endpoint.

...

  1. Image Added


    Image: Clicking Create outbound endpoint.

  2. On the

...

  1. Createoutboundendpoint page, input the following data:

    1. Give the Outbound Endpoint a Name.
      Image Modified
      Image: Naming the outbound endpoint. 

    2. Select the VPC you would like to associate with the Outbound Endpoint from among the drop-down options.

...

    1. Selecting the VPC.Image Added

      Image: Selecting the VPC.

    2. Select the Security group you would like to associate with this Outbound Endpoint from among the drop-down options.

...

    1. Selecting a securty group.Image Added

      Image: Selecting a securty group.

    2. Select IPv4 as the Endpoint Type from among the drop-down options.

...

    1. Image Added

      Image: Selecting IPv4 as the endpoint type. 

    2. Under the IP address #1 header, select the Availability Zone you would like to use for this Outbound Endpoint. Note that this is the IP clients will send DNS requests to, any additional IP addresses entered will act as redundant to the first one to improve availability.
      Image Modified
      Image: Selecting an availablitly zone for IP address #1.

    3. Select the private subnet associated with the Availability zone.
      Selecting a private subnetImage Modified
      Image: Selecting a private subnet. 

    4. Choose an IP address for the Outbound Endpoint. You may choose to allow AWS to choose one automatically, or input one manually.
      Selecting an IP address for the outbound endpoint.Image Modified
      Image: Selecting an IP address for the outbound endpoint.

    5. Under the IP address #2 header, select the Availability Zone you would like to use for this Outbound Endpoint. Note that this is the IP clients where DNS requests are sent.
      Image Modified
      Image:

...

    1.  Selecting an availablitly zone for IP address #2.

    2. Select the private subnet associated with the availability zone. 

...

    1. Image Added

      Image: Selecting a private subnet associated with the availability zone.

    2. Choose an IP address for the outbound endpoint. You can choose to allow AWS to choose one automatically, or input one manually.
      Image Modified
      Image: Selecting the automatically generated IP address for the outbound endpoint. 

    3. Optionally input an additional IP addresses via the Add another IP address button.
      Image Modified
      Image: Adding an additional IP address. 

    4. Optionally, add Input Tags if desired. Followed by

...

    1. clicking Submit to finish the creation of the Outbound Endpoint.
      Image Modified
      Image: Clicking the Submit button to add an input tag. 

    2. If the creation of the Outbound Endpoint was successful, you will now see the newly created outbound endpoint on the Outbound endpoints page.
      Image Modified
      Image: Confirmation of the successful creation of a new outbound endpoint. 

This completes the creating a Route 53 Route 53 Outbound Endpoint process.

...

In order to forward traffic to BloxOne Threat Defense you must configure a resolver rule which allows Route 53 to forward traffic to IP addresses defined within. To create a Resolver rule, perform the following steps:

  1. In the Route 53 navigation panel, click Rules located under the Resolver header.

...


  1. Locating Rules in the side navigation.Image Added


    Image: Locating Rules in the side navigation. 

  2. On the Rules page, click Create rule.

...

  1. Click Create rule on the Rules page to commence the rule creation process.Image Added


    Image: Click Create rule on the Rules page to commence the rule creation process. 

  2. Configure the new rule:

    1. Give the rule a Name.

...

    1. Image Added


      Image: Addng a name in the rule's  Name field.

    2. Set the Rule type as Forward.

...

    1. Image Added


      Image: Adding "Forward" in the Rule type text field

    2. In the Domain name text field input the character ( '.' ) without quotations.

...

    1. Image Added

      Image: Inputting "." without the quotes in the Domain name text field.
       

    2. Select any VPC(s) that you would like this rule to apply to via the dropdown menu located under the VPCs that use this rule header.

...

    1. Applying a rule to a selected VPC or VPCs.Image Added

      Image: Applying a rule to a selected VPC or VPCs. 

    2. Select the outbound endpoint that was created earlier via the drop-down menu.

...

    1. Image Added


      Image: Selecting the output endpoint from among the drop-down menu options. 

    2. In the First Target IP address text field, input the address 52.119.40.100. Additionally, input 53 in the Port text field.

...

    1. Image Added


      Image: Adding the first target IP address. 

    2. Click Add target to input another IP address.

...

    1. Image Added

      Image: Adding the tardet IP address. 

    2. In the second Target IP addresses field input the IP 103.80.5.100. Additionally, add input 53 in the Port text field.

...

    1. Adding a second target IP address.Image Added

      Image: Adding a second target IP address.

    2. Click Submit to confirm the creation of the rule.

...

    1. Clicking the Submit buton to create the new rule.Image Added


      Image: Clicking the Submit buton to create the new rule.

    2. If the creation of the rule was successful, you will now see the new rule in the list of rules.

...


    1. Verifying the successful addition of the rule to the rule list.Image Added

      Image: Verifying the successful addition of the rule to the rule list.


This completes the creating a Route 53 Resolver Rule process. 

For additional information, see The Deployment Guide Integrating BloxOne™ Threat Defense with AWS' Route 53.