BloxOne DDI as the Hidden Primary Master

BloxOne DDI is the Primary Master

• BloxOne DNS server transfers a copy of the zone from CSP. Multiple BloxOne DNS servers are available for redundancy.

• NIOS DNS servers on prem and in a customer managed public cloud are configured as secondary name servers for the zone. Each of the servers transfer a copy of the zone from the on-prem BloxOne DNS server.

• A third party hosted DNS service provides an alternate backup for the zone. The third party pulls a copy of the zone from one of the NIOS DNS servers.

• Devices on the Internet query all externally available DNS servers hosting the target zone. DNS servers in different locations on different platforms provide for maximum redundancy and availability.

• Inbound port 53 requests are blocked. Attempts are made because NS records exist for BloxOne DNS servers (they can't be removed).

BloxOne DNS Server

• In the DMZ with access to the server only from the NIOS DNS server in the public cloud and the other NIOS DNS servers in the DMZ.

• Allows zone transfers using a TSIG key.

• Port 53 only available on the host (not accessible from External)

• NS records are auto-generated and cannot be disabled or hidden

NIOS DNS Servers

• NIOS DNS servers in the DMZ allow zone transfers from the 3rd party DNS provider via TSIG key.

• Port 53 accessible through the firewall (to NIOS DNS only)

• Public Cloud NIOS DNS requires secure connection to DMZ to pull a zone transfer

• Optionally configured with vADP to provide additional protection of DNS services.

• NS (and possibly A) resource records must be created for each NIOS secondary.

Third Party DNS Servers

• Provide DNS services as a redundancy and availability service.

• Reduces risk of DDoS and network outages to on-prem DNS servers.

• Provides additional scalability

• NS resource records must be created for appropriate systems

• NIOS DNS Servers Offer GSLB Responses
  NIOS DNS servers licensed for DTC may provide rule-based responses for inbound queries