The following diagram illustrates BloxOne DDI as the hidden primary master:
...
| Excerpt |
|---|
| hidden | true |
|---|
| name | BloxOne DDI as the Hidden Primary Master |
|---|
|
| Drawio |
|---|
| mVer | 2 |
|---|
| zoom | 1 |
|---|
| simple | 0 |
|---|
| inComment | 0 |
|---|
| custContentId | 268995081 |
|---|
| pageId | 268535418 |
|---|
| lbox | 1 |
|---|
| diagramDisplayName | BloxOneDDI_Hidden_Primary_Master.drawio |
|---|
| contentVer | 2 |
|---|
| revision | 2 |
|---|
| baseUrl | https://infoblox-docs.atlassian.net/wiki |
|---|
| diagramName | BloxOneDDI_Hidden_Primary_Master.drawio |
|---|
| pCenter | 0 |
|---|
| width | 870.5 |
|---|
| links | |
|---|
| tbstyle | |
|---|
| height | 611 |
|---|
|
|
 Image ModifiedBloxOne DDI is the Primary Master | BloxOne DNS server transfers a copy of the zone from CSP. Multiple BloxOne DNS servers are available for redundancy. NIOS DNS servers on prem and in a customer managed public cloud are configured as secondary name servers for the zone. Each of the servers transfer a copy of the zone from the on-prem BloxOne DNS server. A third party hosting DNS service provides an alternate backup for the zone. The third party pulls a copy of the zone from one of the NIOS DNS servers. Devices on the Internet query all externally available DNS servers hosting the target zone. DNS servers in different locations on different platforms provide for maximum redundancy and availability. Inbound port 53 requests are blocked. Attempts are made because NS records exist for BloxOne DNS servers (they can't be removed).
|
 Image ModifiedBloxOne DNS Server | In the DMZ with access to the server only from the NIOS DNS server in the public cloud and the other NIOS DNS servers in the DMZ. Allows zone transfers using a TSIG key. Port 53 only available on the host (not accessible from External). NS records are auto-generated and cannot be disabled or hidden.
|
 Image ModifiedNIOS DNS Servers | NIOS DNS servers in the DMZ allow zone transfers from the 3rd party DNS provider via TSIG key. Port 53 accessible through the firewall (to NIOS DNS only). Public Cloud NIOS DNS requires secure connection to DMZ to pull a zone transfer. Optionally configured with vADP to provide additional protection of DNS services. NS (and possibly A) resource records must be created for each NIOS secondary.
|
 Image ModifiedThird Party DNS Servers | Provide DNS services as a redundancy and availability service. Reduces risk of DDoS and network outages to on-prem DNS servers. Provides additional scalability. NS resource records must be created for appropriate systems. NIOS DNS Servers Offer GSLB Responses.
NIOS DNS servers licensed for DTC may provide rule-based responses for inbound queries.
|
