...

• If you are running DFP (DNS Forwarding Proxy) on a NIOS host, Infoblox strongly recommends that you use the NIOS fallback mechanism by selecting the Fallback to the default resolution process if Infoblox Threat Defense does not respond checkbox in the Member DFP Properties editor of the Grid Manager UI. For more information, see Using DNS Fallback.
  
• When you enable NIOS fallback on the NIOS DFP, ensure that NIOS DNS server has unrestricted access to the internet on UDP/TCP port 53 for the fallback to function properly (even if you have configured DNS forwarders). The NIOS DNS server must first reach the root name servers, TLD (Top Level Domain) servers, and then finally the authoritative name servers to find responses to DNS queries.

• If you cannot enable the root servers or if the root servers are not reachable, you can enable DNS protection by enabling Fallback Resolver when configuring local resolver on your DFP service instance. For information, see Using DNS Fallback.

Standalone DFP

• When configuring a standalone DFP, Infoblox recommends that you enable DNS fallback in the DNS Forwarding Proxy settings of the DFP service. For information, see Configuring DNS Forwarding Proxy Settings.
• Ensure that UDP/TCP port 53 is accessible from the DFP for DNS fallback to function properly.
• DO NOT configure any of the Infoblox-provided anycast IP addresses for DNS fallback purposes.
• If you are using encrypted DNS or encrypted DNS over TLS, configure DNS fallback according to the instructions in the Configuring DFP Settings Using Encrypted DNS Protocols section in Configuring DNS Forwarding Proxy Settings.

...