Page Comparison

The DFP communicates with BloxOne Cloud using DoT over custom TCP port 443 (DNS over Transport Layer Security). Infoblox does not use the standard DoT port on DFP or BloxOne Endpoint. All other requests sent by standard DNS resolvers, DNS servers, and external networks to BloxOne Cloud will not be encrypted and the communication occurs over port 53. We don't use the standard DoT port on DFP/B1E

The following illustration describes a high-level view of the DFP operation:

...

Implementation Recommendations for DoT

Infoblox recommends that organizations block direct DNS traffic, including DNS over TLS (DoT), between internal IP addresses and external DNS servers. This strategy helps prevent the operation of certain malware types, such as DNSChanger, by ensuring that internal devices must use the organization's own DNS infrastructure. This managed DNS setup can enforce name resolution policies through security features like Response Policy Zones (RPZs), enhancing network protection.

Blocking standard DNS and DoT traffic between internal IP addresses is simple. Firewall rules like the following should suffice:

...

If a host cannot reach the BloxOne Anycast DNS server for any reason, it will send requests to a local DNS resolver that protects DNS clients by security RPZ (DNS Firewall) feeds (if on-prem DNS firewall is configured for the NIOS Grid). If the intent is to fall back the queries in these conditions, then the DNS fallback resolver should be configured. DNS forwarding proxy fallback to the DNS server is used as an end point when the primary server is unavailable. The fallback to a local DNS server option (instead of the default DNS resolution path) can be used in situations where BloxOne Cloud is unreachable.

...