Versions Compared

Version Old Version 3 New Version 4
Changes made by

Alex Mandel

Sri Raghu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The following diagram illustrates BloxOne DDI as the hidden primary master:

The BloxOne DNS server transfers a copy of the zone from the CSP, with multiple servers ensuring redundancy. NIOS DNS servers, both on-premises and in the public cloud, act as secondary name servers, receiving zone transfers from the BloxOne DNS server. A third-party DNS service serves as a backup, pulling a copy from one of the NIOS servers. Internet devices query all available DNS servers, maximizing redundancy and availability. Inbound port 53 requests are blocked due to NS records for BloxOne DNS.Image Modified
Excerpt
hiddentrue
nameBloxOne DDI as the Hidden Primary Master

Drawio
mVer2
zoom1
simple0
inComment0
custContentId268995081
pageId268535418
lbox1
diagramDisplayNameBloxOneDDI_Hidden_Primary_Master.drawio
contentVer2
revision2
baseUrlhttps://infoblox-docs.atlassian.net/wiki
diagramNameBloxOneDDI_Hidden_Primary_Master.drawio
pCenter0
width870.5
links
tbstyle
height611

BloxOne DDI is the Primary Master

  • BloxOne DNS server transfers a copy of the zone from CSP. Multiple BloxOne DNS servers are available for redundancy.

  • NIOS DNS servers on prem and in a customer managed public cloud are configured as secondary name servers for the zone. Each of the servers transfer a copy of the zone from the on-prem BloxOne DNS server.

  • A third party hosting DNS service provides an alternate backup for the zone. The third party pulls a copy of the zone from one of the NIOS DNS servers.

  • Devices on the Internet query all externally available DNS servers hosting the target zone. DNS servers in different locations on different platforms provide for maximum redundancy and availability.

  • Inbound port 53 requests are blocked. Attempts are made because NS records exist for BloxOne DNS servers (they can't be removed).

BloxOne DNS Server

  • In the DMZ with access to the server only from the NIOS DNS server in the public cloud and the other NIOS DNS servers in the DMZ.

  • Allows zone transfers using a TSIG key.

  • Port 53 only available on the host (not accessible from External).

  • NS records are auto-generated and cannot be disabled or hidden.

NIOS DNS Servers

  • NIOS DNS servers in the DMZ allow zone transfers from the 3rd party DNS provider via TSIG key.

  • Port 53 accessible through the firewall (to NIOS DNS only).

  • Public Cloud NIOS DNS requires secure connection to DMZ to pull a zone transfer.

  • Optionally configured with vADP to provide additional protection of DNS services.

  • NS (and possibly A) resource records must be created for each NIOS secondary.

Third Party DNS Servers

  • Provide DNS services as a redundancy and availability service.

  • Reduces risk of DDoS and network outages to on-prem DNS servers.

  • Provides additional scalability.

  • NS resource records must be created for appropriate systems.

  • NIOS DNS Servers Offer GSLB Responses.
    NIOS DNS servers licensed for DTC may provide rule-based responses for inbound queries.