Versions Compared

Version Old Version 1 New Version Current
Changes made by

Sri Raghu

Sri Raghu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The following diagram illustrates BloxOne Universal DDI as the hidden primary master:

Drawio
mVer2
zoom1
simple0
inComment0
custContentId268995081
pageId268535418
lbox1
diagramDisplayNameBloxOneDDI_Hidden_Primary_Master.drawio
contentVer23
revision23
baseUrlhttps://infoblox-docs.atlassian.net/wiki
diagramNameBloxOneDDI_Hidden_Primary_Master.drawio
pCenter0
width870.5
links
tbstyle
height611
Image Modified

BloxOne

Universal DDI is the Primary Master

BloxOne

  • NIOS-X Server (DNS server) transfers a copy of the zone from

CSP

  • the Infoblox Portal. Multiple

BloxOne

  • NIOS-X Servers (DNS servers) are available for redundancy.

  • NIOS

DNS servers on prem and

  • -X Physical Server and NIOS-X Virtual Server in a customer managed public cloud are configured as secondary name servers for the zone. Each of the servers transfer a copy of the zone from the

on-prem BloxOne DNS server

  • NIOS-X Physical Server.

  • A third party

hosted

  • DNS service provides an alternate backup for the zone. The third party pulls a copy of the zone from one of the NIOS

DNS servers

  • -X Server.

  • Devices on the Internet query all externally available DNS servers

hosting

  • serving the target zone. DNS servers in different locations on different platforms provide for maximum redundancy and availability.

  • Inbound port 53 requests are blocked. Attempts are made because NS records exist for

BloxOne DNS servers

  • NIOS-X Servers (they can't be removed).

Image Modified

BloxOne DNS

NIOS-X Server

  • In the DMZ with access to the server only from the NIOS DNS server in the public cloud and the other NIOS DNS servers in the DMZ.

  • Allows zone transfers using a TSIG key.

  • Port 53 only available on the

host

  • NIOS-X Server (not accessible from External).

  • NS records are auto-generated and cannot be disabled or hidden.

Image Modified

NIOS DNS Servers

NIOS

  • Universal DDI DNS servers in the DMZ allow zone transfers from the 3rd party DNS provider via TSIG key.

  • Port 53 accessible through the firewall (to NIOS DNS only).

  • Public Cloud NIOS DNS requires secure connection to DMZ to pull a zone transfer.

  • Optionally configured with vADP to provide additional protection of DNS services.

  • NS (and possibly A) resource records must be created for each NIOS secondary.

Image Modified

Third Party DNS Servers

  • Provide DNS services as a redundancy and availability service.

  • Reduces risk of DDoS and network outages to on-prem DNS servers.

  • Provides additional scalability.

  • NS resource records must be created for appropriate systems.

  • NIOS DNS Servers Offer GSLB Responses.
    NIOS DNS servers licensed for DTC may provide rule-based responses for inbound queries.