Versions Compared

Version Old Version 1 New Version Current
Changes made by

Panna .

Panna .

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This topic details the requirements that NIOS appliances must meet for enabling the DNS over TLS and DNS over HTTPS services and has instructions to configure these services. The sections covered in this topic are as follows:

Table of Contents
minLevel1
maxLevel2
outlinefalse
stylenone
typelist
printabletrue

Licensing and Certificate Requirements

DNS over TLS and DNS over HTTPS require the vDCA (virtual DNS Cache Acceleration) or vADP (virtual Advanced DNS Protection Software) service to be licensed and enabled. If the DNS Cache Acceleration and/or Advanced DNS Protection Software services are not enabled, the DNS over TLS and DNS over HTTPS features will not work even if they are enabled. For more information about DNS Cache Acceleration and Advanced DNS Protection Software (threat protection), see /wiki/spaces/nios85draft/pages/26481432 and /wiki/spaces/nios85draft/pages/26478887Configuring DNS Cache Acceleration and About Infoblox Advanced DNS Protection respectively. 

The DNS over TLS or the DNS over HTTPS service uses the same self-signed certificate that NIOS generates for HTTPS communication when it first starts. You can also generate a certificate signing request (CSR) and use it to obtain a signed certificate from your own trusted certificate authority (CA). For more information, see Generating Certificate Signing Requests.

The certificate is provisioned for each member. For more information about certificates, see /wiki/spaces/nios85draft/pages/26477152.

...

Managing Certificates.

Note

Note

NIOS generates a new self-signed certificate when the host name or the IP address of the member is changed or when a Grid Master Candidate is promoted. If the DNS over TLS or DNS over HTTPS feature is enabled on a member, then every time a new self-signed certificate, HTTPS certificate, or a CA certificate is generated, the DNS over TLS service or the DNS over HTTPS service (depending on which feature is enabled) automatically restarts to upload the new certificate.

...

Warning

Warning

The numbers in the following tables are for IB-FLEX appliances only. For information about CPU and memory requirements of NIOS appliances other than IB-FLEX, see the NIOS Release Notes.

IB-FLEX Flavor Configuration

Total CPU

Total System Memory in GB (With virtual Advanced DNS Protection Software only)

Total System Memory in GB (With virtual DNS Cache Acceleration and virtual Advanced DNS Protection Software)

Maximum Number of Concurrent Sessions Supported

Grid Master Capable

Small
recursive DNS (with acceleration)

10

32

32

For vDCA only: 120,000

For vADP only: 50,000

For vDCA and vADP: 120,000

No

Medium
recursive DNS (with acceleration)

16

64

40

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

No

Large
recursive

No

Large
recursive DNS (with acceleration)

26

80

50

For vDCA only: 240,000

For vADP only: 80,000

For vDCA and vADP: 240,000

No

The following table lists the maximum number of concurrent sessions supported by different NIOS appliance models (physical and virtual). For information about CPU and memory requirements, see the NIOS Release Notes.

...

Note

...

No

Note

Note

  • If the available memory does not meet the requirement defined in the above table, you may observe unexpected behavior. Infoblox recommends that you allocate slightly more memory to ensure that memory associated with the hypervisor is

also accounted for.

...

NIOS Appliance
(Physical and Virtual)

...

Maximum Number of Concurrent Sessions Supported

...

IB-14x5

...

For vADP only: 50,000

...

IB-22x5

...

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

...

IB-40x5

...

For vDCA only: 240,000

For vADP only: 80,000

For vDCA and vADP: 240,000

Note
Note

  • also accounted for.

  • In an HA setup, ensure that both the active and passive nodes have the memory configuration required to enable the DNS over TLS or the DNS over HTTPS feature. If you enable the feature on an active node that has the required memory footprint but the passive node does not, then in case of a failover, the DNS over TLS or the DNS over HTTPS service does not start on the new active node. Therefore, requests coming to the DNS over TLS or the DNS over HTTPS stream are not honored.

Configuration Requirements if Parental Control is Enabled

NIOS appliances require additional memory if you intend to run DNS over TLS and/or DNS over HTTPS along with the Parental Control features such as proxy RPZ passthru, DCA subscriber query count logging, and DCA subscriber allowed and blocked listing simultaneously. The following table lists the base configuration required on IB-FLEX appliances for configuring these features simultaneously:

IB-FLEX Flavor Configuration

Total CPU

Total System Memory in GB (With virtual DNS Cache Acceleration only)

Total System Memory in GB (With virtual DNS Cache Acceleration and virtual Advanced DNS Protection Software)

Maximum Number of Concurrent Sessions Supported

Grid Master Capable

Medium
recursive DNS (with acceleration)

16

64

64

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

No

Medium-Large
recursive DNS (with acceleration)

16

86

86

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

16

86

86

No

Large
recursive DNS (with acceleration)

26

100

100

For vDCA only: 240,000

For vADP only: 80,000

For vDCA and vADP: 240,000

No


Note

Note

  • When a NIOS appliance does not have the required base memory configuration, if you try to enable and run DNS over TLS, DNS over HTTPS, and Parental Control features simultaneously, all of these features will be disabled.

  • For information about CPU and memory requirements of NIOS appliance models other than IB-FLEX, see the NIOS Release Notes.

...

  • ECDHE-ECDSA-CHACHA20-POLY1305

  • ECDHE-RSA-CHACHA20-POLY1305

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

  • DHE-RSA-AES128-GCM-SHA256

  • DHE-RSA-AES256-GCM-SHA384

  • DHE-RSA-AES128-SHA

  • DHE-RSA-AES256-SHA

  • DHE-RSA-AES128-SHA256

  • DHE-RSA-AES256-SHA384

Cipher suites supported for TLS 1.3 are as follows:

...

To configure the DNS over TLS feature, complete the following steps:

  1. Grid member: On the Data Management tab, click the DNS tab -> Members tab, select the member checkbox, and then click the Edit icon.
    Standalone system: On the Data Management tab, click the DNS tab, expand the Toolbar, and then click System DNS Properties.

  2. In the Member DNS Properties editor/System DNS Properties editor, click Toggle Advanced Mode if the editor is in basic mode.

  3. On the Queries tab -> Advanced tab, select the Enable DoT Service checkbox to enable the DNS over TLS feature.
    Note the options for DNS over TLS feature are displayed only if the appliance has the memory footprint that is required to support the feature and has the virtual DNS Cache Acceleration or Advanced DNS Protection Software license installed. For more information, see Base Configuration Requirements below.

  4. In the Maximum Session Timeout field, specify the maximum time in seconds a session can remain idle before it times out and closes. The default value is 60 seconds.
    If your DNS forwarders are located at different geographical locations or if the network latency is high, you may observe session timeouts. If so, Infoblox recommends that you set the Maximum Session Timeout to more than 60 seconds. Increasing the session duration may impact concurrent open sessions.

  5. Save the configuration.

  6. As prompted, manually reboot the member to enable the DNS over TLS feature.

Note

Note

The DNS over TLS feature will not take effect until you reboot the member or the standalone system and ensure that either the DNS Cache Acceleration or Advanced DNS Protection Software service is running after the reboot.

...

DNS over HTTPS

NIOS appliances that support DNS Cache Acceleration or Advanced DNS Protection Software, include the DNS over HTTPS capability that helps increase DNS security and privacy. When you enable the DNS over HTTPS feature, DNS traffic is encrypted through the HTTPS protocol to prevent eavesdropping and tampering of DNS data. This feature is supported on both recursive and authoritative DNS servers only through port 443. It is available only for Grid members and standalone systems. The feature supports the processing of multiple DNS queries/responses over a single TCP session.

...

To configure the DNS over HTTPS feature, complete the following steps:

  1. Grid member: On the Data Management tab, click the DNS tab -> Members tab, select the member checkbox, and then click the Edit icon.
    Standalone system: On the Data Management tab, click the DNS tab, expand the Toolbar, and then click System DNS Properties.

  2. In the Member DNS Properties editor/System DNS Properties editor, click Toggle Advanced Mode if the editor is in basic mode.

  3. On the Queries tab -> Advanced tab, select the Enable DoH Service checkbox to enable the DNS over HTTPS feature.

    Note the options for DNS over HTTPS feature are displayed only if the appliance has the memory footprint that is required to support the feature and has the virtual DNS Cache Acceleration or Advanced DNS Protection Software license installed. For more information, see Base Configuration Requirements below.

  4. In the Maximum Session Timeout field, specify the maximum time in seconds a session can remain idle before it times out and closes. The default value is 10 seconds.
    If your DNS forwarders are located at different geographical locations or if the network latency is high, you may observe session timeouts. If so, Infoblox recommends that you set the Maximum Session Timeout to more than 10 seconds. Increasing the session duration may impact concurrent open sessions.

  5. Save the configuration.

  6. As prompted, manually reboot the member to enable the DNS over HTTPS feature.

Note

Note

The DNS over HTTPS feature will not take effect unless you reboot the member or the standalone system and ensure that either the DNS Cache Acceleration or Advanced DNS Protection Software service is running after the reboot.

...

If you are using the developer version of the Firefox browser to initiate DNS queries, you must configure additional settings in the browser to enable the DNS over HTTPS support. Complete the following steps in Firefox to enable DNS over HTTPS and upload certificates:

  1. In the Network Settings section, click Settings and complete the following steps to set the Grid IP address as the custom DNS over HTTPS server:

    1. In the Connection Settings dialog box select the Enable DNS over HTTPS checkbox.

    2. From the Use Provider drop-down list, choose Custom.

    3. In the Custom field, enter the Grid IP address in the format:
      https://<dns-server>/dns-query

  2. Set the network.trr.mode preference in the configuration editor as follows:

    1. Enter about:config in the Firefox address bar.

    2. Click Accept the Risk and Continue to open the configuration editor.

    3. Search for network.trr.mode.

    4. Click the Edit icon and set the value to 3.

  3. If you are using a self-signed certificate, complete the following:

    1. From the address bar, open https://<doh_server_IP>.

    2. Accept the certificate.

  4. If you are using a CA certificate, complete the following:

    1. Go to Preferences/Options -> Privacy and Security -> View Certificates -> Authorities -> Import.

    2. Choose the certificate.

    3. When prompted, select the Trust this CA to identify websites checkbox, and restart the browser.

Note

Note

For a member with the DNS Cache Acceleration service running and the DNS over HTTPS feature enabled, if you use the developer version of the Firefox browser (configured for DNS over HTTPS support) to initiate DNS queries, you must set the network.trr.disable-ECS preference in the configuration editor (about:config) to false for DNS data to be cached. DNS caching does not work if network.trr.disable-ECS is set to true.

...