Versions Compared

Old Version 1

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version Current

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To set up encrypted DNS using PowerShell on Windows 11 Powershell must be run in Administrator mode in order to execute commnands. You will also need to set the DNS value first so that when we force encryption its automatically set. If encryption is set before the DNS value is set, you will have to do it manually again.

When traffic is sent over DoH, reports in the Infoblox Portal should show the source as "Unknown."

When traffic is sent over DoH, reports in the Infoblox Portal should show the source as "Unknown."

NOTE: To obtain your FQDN go to the General page of the Create New Security Policy wizard in the Cloud Services Infoblox Portal(Cloud Infoblox Services Portal > Policies Configuration > Security Policies > Create New Security Policy > General). Copy the auto-generated FQDN, or click regenerate to generate a new FQDN. Note that DoH per Policy must be enabled in order to obtain the FQDN. The format should be https://FQDN/dns-query.

Step 1: Set the Local DNS

...

The DohTemplate is referencing the DOH URL. In the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" should be replaced with your unique URL per policy.

Code Block
Add-DnsClientDohServerAddress -ServerAddress 52.119.41.200 -DohTemplate https://fc6ca07a-0b03-45fb-9feb-7694b14fb249.doh.threatdefense.infoblox.com/dns-query

It will generate an output like this:. Do note that in the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" will be replaced with your unique URL per policy.

Code Block
ServerAddress  AllowFallbackToUdp AutoUpgrade DohTemplate
-------------  ------------------ ----------- -----------
52.119.41.200    False       False    https://fc6ca07a-0b03-45fb-9feb-7694b14fb249.doh.threatdefense.infoblox.com/dns-query

...

You will see all the DOH templates available to use. Scroll until you see the entry for the doh.threatdefense.infoblox.com service. Do note that in the URL example below, “fc6ca07a-0b03-45fb-9feb-7694b14fb249" will be replaced with your unique URL per policy.

Code Block
Encryption settings for 52.119.41.200  
-------------  ------------------ ----------- -----------
DNS-over-HTTPS    template    :   https://doh.fc6ca07a-0b03-45fb-9feb-7694b14fb249.threatdefense.infoblox.com/dns-query 
Auto-upgrade                  :   no
UDP-fallback                  :   no

The Server IP for DOH will be 52.119.41.200 or 103.80.6.200. While we support IPv6 DNS, we don’t have it configured for DOH yet. We encourage you disable IPv6 on the machine to avoid leaking DNS queries.

...

Code Block
$RegistryPath = 'HKLM:\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{b8c2ef47-639d-4b00-96f4-b8e3c8a30618}\DohInterfaceSettings\Doh\18552.228119.16841.10200'
$Name         = 'DohFlags'
$Value        = '1'
# Create the key if it does not exist
If (-NOT (Test-Path $RegistryPath)) {
  New-Item -Path $RegistryPath -Force | Out-Null
}  
# Now set the value
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType QWORD -Force

...