Document toolboxDocument toolbox

Creating DNS Config Profiles

Owned by Sri Raghu
Last updated: Sept 06, 2024
8 min read

Note

The values for the DNS Config profiles are inherited from the Global DNS Configuration. To override the values, slide the Inherit toggle to Override. For additional information on inheritance, see DNS Inheritance.

To configure a DNS config profile, complete the following:

  1. From the Infoblox Portal, click Configure > Networking > DNS > DNS Config Profiles Create DNS Config Profile.
  2. On the Create DNS Config Profiles page, specify the following:
    • Name: Enter a name for the DNS config profile.
    • Description: Enter additional details about the DNS config profile.
  3. Tags: For information about tags, see Managing Tags.
  4. In the ALLOW QUERIES FROM section, click Add to add or click Remove to remove the entries. Select one of the following from the TYPE drop-down list:   
    • Any Address/Network: Select this option to allow or deny queries from any IP addresses or networks. The application replies to queries from all clients. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.
    • IPv4 Address: Select this option to add an IPv4 address. Click the VALUE field and enter the IP address of the client from which the query originates. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • IPv4 Network: Select this option to add a network to the list. Click the VALUE field and enter an IPv4 network address and type a netmask. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • Named ACL: Select this option to add a named ACL that you want to use. Click the VALUE field and the list of named ACLs are displayed. If you only have one named ACL, the application automatically displays the named ACL. When you select this, the application replies to DNS queries from clients matching the ACL. You can click Clear to remove the selected named ACL.

    • TSIG Key: Select an existing TSIG. For more information, see Configuring TSIG Keys.
  5. In the ACCEPT ZONE TRANSFER REQUESTS FROM section, click Add to add or click Remove to remove the entries. Select one of the following from the TYPE drop-down list:
    • Any Address/Network: Select this option to allow or deny the application to send zone transfers to any IP address or network. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • IPv4 Address: Select this option to add an IPv4 address. Click the VALUE field and enter the IP address of the remote server. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • IPv4 Network: Select this option to add an IPv4 network address to the list. Click the VALUE field and enter an IPv4 network address and type a netmask. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • Named ACL: Select this option to add a named ACL. Click the VALUE field and the list of named ACLs are displayed. If you have only one named ACL, it is displayed automatically. When you select this, the application allows servers that have the Allow permission to send and receive DNS zone transfer data. You can click Clear to remove the selected named ACL.

    • TSIG Key: Select an existing TSIG. For more information, see Configuring TSIG Keys.
  6. In the DNS Sort Lists section, create DNS sort lists to prioritize A and AAAA records on certain networks when they are returned in DNS responses. For more information, see DNS Sort Lists.
  7. In the ALLOW DYNAMIC UPDATES FROM section, click Add to add or click Remove to remove the entries. Select one of the following from the TYPE drop-down list:
    • Any Address/Network: Select this option to allow or deny the application to send zone transfers to any IP address or network. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • IPv4 Address: Select this option to add an IPv4 address. Click the VALUE field and enter the IP address of the remote server. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • IPv4 Network: Select this option to add an IPv4 network address to the list. Click the VALUE field and enter an IPv4 network address and type a netmask. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • Named ACL: Select this option to add a named ACL. Click the VALUE field and the list of named ACLs are displayed. If you have only one named ACL, it is displayed automatically. When you select this, the application allows servers that have the Allow permission to send and receive DNS zone transfer data. You can click Clear to remove the selected named ACL.

    • TSIG Key: Select an existing TSIG. For more information, see Configuring TSIG Keys.
  8. In the Recursion section, click Allow recursion to enable recursion, and specify the following:
    • Allow GSS-TSIG–signed updates: To allow GSS-TSIG–signed updates, select this checkbox. GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is used to authenticate DDNS updates. For more information, see Configuring GSS-TSIG.
    • In the GSS-TSIG CONFIGURATION section, choose one of the following options:
      • New GSS-TSIG Keytab File: Click Select File, find the keytab file, and click Add.
      • Existing GSS-TSIG Keytab File: Select the keytab file from the drop-down, and click Add. The following read-only information is shown:
        • PRINCIPAL: The principal name that is mapped to the keytab file

        • DOMAIN: The name of the domain that is mapped to the keytab file

        • VERSION: The version of the keytab file

        • ENCRYPTION TYPE: The encryption type of the key

        • LAST UPDATED: The timestamp of the key's last upload 
  9. In the Recursion section, click Allow recursion to enable recursion, and specify the following:

    • Resolver query timeout: Specify the maximum time allowed for a recursive query to wait for a response before timing out. You can enter a value between 10 and 30 seconds. The default value is 10 seconds.

    • Lame TTL: Specify the duration of time to cache a lame delegation or lame server. Select the period in seconds, minutes, or hours from the drop-down list. The default value is 600 seconds (ten minutes) and the maximum value is 3600 seconds (one hour). The value 0 (zero) disables lame caching and is not recommended.

    • Max Cache TTL: Specify the maximum duration of time for which the name server caches positive responses. Select the period in seconds, minutes, hours, days, or weeks from the drop-down list. The minimum value is 1 second and the maximum value is 604800 seconds (7 days). The default value is 604800 seconds (7 days).

    • Max Negative Cache TTL: Specify the maximum duration of time for which the name server caches negative responses. Select the period in seconds, minutes, hours, days, or weeks from the drop-down list. The default value is 10800 seconds (3 hours), minimum value is 1 second and the maximum value is 604800 seconds (7 days).

      If you have set the Resolver query timeout to a value less than 10 seconds, it will default to 10 seconds automatically. 

  10. In the Logging section, select Enable query/response logging check box to enable logging. Clear the check box to disable logging. This check box is selected by default. The DNS query request and response logs can be accessed using the Data Connector
  11. In the ALLOW RECURSIVE QUERIES FROM section, select one of the following from the TYPE drop-down list:
    • Any Address/Network: Select this option to allow or deny queries from any IP addresses. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • IPv4 Address: Select this option to add an IPv4 address. Click the VALUE field and enter the IP address of the remote clients. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • IPv4 Network: Select this option to add an IPv4 network address to the list. Click the VALUE field and enter an IPv4 network address and type a netmask. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • Named ACL: Select this option to add a named ACL. Click the VALUE field and the list of named ACLs are displayed. If you have only one named ACL, it is displayed automatically. When you select this option, the application allows clients with valid permission to perform recursive queries.

    • TSIG Key: Select an existing TSIG. For more information, see Configuring TSIG Keys.
  12. In the ROOT NAME SERVERS section, select one of the following options:
    • Use Internet root name servers: This option is selected by default.

    • Use custom root name servers: Select this option to use custom root name servers instead of the default name servers. Click Add and enter the following information when a new row appears:

      • Name: Enter a name for the root name server.
      • Address: Enter an IPv4 address for the root name server.
  13. In the FORWARDERS section, click Add to add or click Remove to remove the entries under the FORWARDERS, and enter an IP address in the ADDRESS column. The field supports only IPv4 values. Select the respective check box and click Remove to remove a forwarder.
  14. Select the Enable DNSSEC check box and complete the following:

    • Enable Validation: If you allow the application to respond to recursive queries, you can select this check box to enable the application to validate responses to recursive queries for domains that you specify.

    • Accept expired signature: Click this check box to enable the application to accept responses with signatures that have expired. Though enabling this feature might be necessary to work temporarily with zones that have not had their signatures updated in a timely fashion, note that it could also increase the vulnerability of your network to replay attacks.

    • TRUST ANCHORS: Configure the DNSKEY record that holds the KSK as a trust anchor for each zone for which the application returns validated data. Click Add and complete the following:

      • ZONE: Enter the FQDN of the domain for which the application validates responses to recursive queries.
      • SECURE ENTRY POINT (SEP): This check box is enabled by default to indicate that you are configuring a KSK.
      • ALGORITHM TYPE: Select the algorithm of the DNSKEY record:
        • RSAMD5
        • Diffie-Hellman (This is not supported by BIND and Infoblox Universal DDI.)
        • DSA
        • RSASHA1
        • DSA-NSEC3-SHA1
        • RSASHA1-NSEC3-SHA1
        • RSASHA-256
        • RSASHA-512
        • ECDSAP256SHA256
        • ECDSAP384SHA384
      • PUBLIC KEY: Paste the key into this text box. You can use either of the following commands to retrieve the key:
        • dig . dnskey +multiline: This command retrieves root zone keys and is the only public key you require for full chain of trust validation.

        • dig [@server_address] <zone> dnskey +multiline +dnssec: This command retrieves public keys from the zone you specify on the server and can be used if the parent zone is not signed. Note that the aforementioned command provides you with a key you need to cross validate against other servers to ensure you have an identical key. As an alternative, you can use http://data.iana.org/root-anchors/ to retrieve signed public keys. You can find the trust anchors in formats like XML and CSR. For more information, refer to https://data.iana.org/root-anchors/old/2015-04-03/draft-icann-dnssec-trust-anchor.txt.

  15. In the  Server section, complete the following:
    • Query Port: The source port for outbound DNS queries. When you set this port to 0, it will use any available port for outbound DNS queries. The default value is 0.

    • Secondary AXFR query limit: The maximum concurrent number of inbound full zone or AXFR transfers. It indicates the maximum number of DNS messages the primary server can send containing only the changed zone data, or the entire data set. The default value is 0. The minimum value is 0 and the maximum value is 65535. When you set the value to 0, the server uses a NIOS-X Server-dependent default value.

    • Secondary SOA query limit: The maximum number of concurrent queries a secondary name server sends to the primary server to find out if the zone serial numbers have been changed. The default value is 0. The minimum value is 1 and the maximum value is 65535.

  16. In the EDNS Client Subnet Configuration section, complete the following:

    • Enable Recursive EDNS Client Subnet: Select this check box to enable recursive resolution using EDNS client subnet. This is disabled by default. If recursive EDNS client subnet is enabled, the application applies EDNS client subnet handling for queries that meet both of the following criteria:

      • If the source prefix length is not set to zero.

      • If the query zone name is listed in the whitelisted domains.

    • Enable EDNS Client Subnet Forwarding: Select this check box to enable EDNS client subnet forwarding. If you enable ECS forwarding, all queries containing a valid EDNS client subnet option will be forwarded to the authoritative server.

      • QUERY ZONE PERMISSIONS: Click Add to add a list of query zone names that are subject to ECS recursion and the corresponding permission. The application adds a row to the table. Complete the following:
        • Zone: Enter the zone name.
        • Permission: Select Allow or Deny from the drop-down list.
      • Pv4 Source Prefix: Specify the IPv4 source prefix length. You can enter a value between 1 and 24. The default value is 24.
      • IPv6 Source Prefix: Specify the IPv6 source prefix length. You can enter a value between 1 and 56. The default value is 56.
  17. In the Zone Settings Defaults section, the Use default forwarders to resolve queries for delegated subzones check box is selected by default. Select this check box to use the default forwarders to resolve queries for delegated subzones. Clear the check box to create custom forwarders to resolve queries for delegated subzones.  

  18. Click Save & Close to save.