Versions Compared

Old Version 28

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version Current

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If your network infrastructure consists of an on-prem Infoblox Grid, you can select any Grid member to function as a DNS forwarder. Ensure that you configure your firewall to allow that Grid member to communicate with external DNS servers and enable DNS recursion on the member.

DFP (DNS Forwarding Proxy) on NIOS is the preferred way to send DNS queries to BloxOne CloudInfoblox Platform. DFP is a NIOS service and it automatically handles DNS query forwarding. You can start and stop the DFP service just like other NIOS services. You can configure the connection between NIOS and BloxOne Cloud and Infoblox Platform by using the new CSP Config tab in Grid Properties Editor or Grid Member Properties Editor. For additional information on DFP and how forwarding works, see Enabling a Grid Member to Forward Recursive Queries.

A recursive query requires the appliance to return requested DNS data, or locate the data through queries to other servers. When a NIOS appliance receives a query for DNS data it does not have and you have enabled recursive queries, it first sends a query to any specified forwarders. If a forwarder does not respond (and you have disabled the Use Forwarders Only option in the Forwarders tab of the Member DNS Properties editor), the appliance sends a non-recursive query to specified internal root servers. If no internal root servers are configured, the appliance sends a non-recursive query to the Internet root servers. For information on specifying root name servers, see About Root About Root Name Servers.

You can enable recursion for a Grid, individual Grid members, and DNS views. For information about enabling recursion in a DNS view, see Configuring DNS Views. If you do not enable recursion, the appliance denies recursive queries from all clients.

Warning

Warning
On the host, if you have configured delegations in your subzones, ensure that you select the Don't use forwarders to resolve queries in subzones check box when you configure the parent’s authoritative zone properties. Otherwise, delegations will not function properly. Because forwarding has precedence over delegation, the query will be sent to the BloxOne Cloud the Infoblox Platform instead of the delegated servers. For information about how to configure authoritative zone properties, see Configuring Authoritative Zone Properties. For information about delegations, see About Authority Delegation.


Note
titleNote

If the initial query resolves to a CNAME, then BIND will resolve the CNAME again. At this point, if the CNAME gets a hit on the security policy, then it responds based on the security action assigned to it. This is the default behavior for DFP on NIOS and Host with DFP+DNS enabled on it.

...

  • Enabling a Grid Member to Forward Recursive Queries to BloxOne to Infoblox Threat Defense Using DFP

DFP is a NIOS service which automatically handles DNS query forwarding. You can start and stop the DFP service just like other NIOS services. You can configure the connection between NIOS and the Cloud Services the Infoblox Portal by using the CSP Config tab in Grid Properties Editor or Grid Member Properties Editor. To enable a Grid member to forward recursive queries to BloxOne to Infoblox Threat Defense, see Enabling a Grid Member to Forward Recursive Queries Using DFP.

...

To enable recursion on the Grid or member in NIOS 8.5, see Enabling Recursive Queries in NIOS 8.5.

DNS Fallback

Infoblox strongly recommends that you configure DNS fallback. For information, see Using DNS Fallback.

Deployment of Multiple DFPs

...

To see the end client IP address in the DFP reports, make sure that Add client IP, MAC addresses, and DNS View name to outgoing recursive queries and Copy client IP, MAC addresses,and DNS View name to outgoing recursive queries is checked depending on the DNS infrastructure. For information, see Using Forwarders in the NIOS 9.0 documentation.

Note
titleNote

In some scenarios the end client IP address may not be visible. For example, when Fault Tolerant Caching is enabled in NIOS or in Prefetch query.


DNSSEC

DFP does not work with DNSSEC in case a request was redirected by BloxOne by Infoblox Threat Defense.

If you are running DFP on NIOS, you must disable DNSSEC validation. DNSSEC validation is performed by BloxOne by Infoblox Threat Defense, regardless if the query comes from a DFP on NIOS, BloxOne Universal DDI, standalone source or a BloxOne Infoblox Threat Defense endpoint, or if the query is forwarded from a third party DNS server. Even if you disable DNSSEC validation, validation still takes place through BloxOne through Infoblox Threat Defense. For more information, see Using Forwarders

To enable DFP to work with DNSSEC in case a request was redirected by BloxOne by Infoblox Threat Defense, see Enabling DNS Forwarding Proxy to Work with DNSSEC.