Document toolboxDocument toolbox

Controlling DNS Queries

Owned by Sri Raghu
Last updated: Sept 06, 2024
5 min read

By default, Universal DDI responds to DNS queries from any IP address. You can create a list of queries to which Universal DDI can respond or restrict it from responding to queries from certain IP addresses, networks, or remote servers.   

In addition, you can also choose to disable the return of minimal responses, and to allow or deny permission to transfer data to certain servers.

Specifying Minimal Responses

Universal DDI returns a minimal amount of data in response to a query, by default. It includes the records in the authority and additional data sections of its response only when required, such as in negative responses. This feature speeds up DNS responses provided by the application.

To disable returning minimal responses, complete the following:

  1. From the Infoblox Portal, click Configure > Networking > DNS, and click Global DNS Configuration
  2. On the Global DNS Configuration page, click Queries.
  3. Clear the Send Minimal Responses check box. 
  4. Click Save & Close to save.

A/AAAA record from HTTPS (Hypertext Transfer Protocol Secure) record using Service Binding (SVCB)

Universal DDI supports the ability to create and manage SVCB and HTTPS resource records in DNS. These records can be placed at the apex of a zone allowing for the aliasing of a server pool. Currently, only the AliasMode of these types of records can be created.

This aliasing is useful in many situations, but CNAME records cannot be used on what’s called a zone apex (the alias name being the zone name). This is because the protocol standard prohibits CNAME from coexisting with other types of records, while a zone apex must have at least NS and SOA records.  The HTTPS resource record is a new solution to specify a target (or an alternative endpoint) specifically for the HTTPS (hypertext transfer protocol secure) service. By limiting the applicable service, it allows us to create an alias even at a zone apex. The SVCB resource record is a more general variant than HTTPS, but it is currently not much of use in practice.

Some HTTPS clients already support the HTTPS resource record. They make queries for HTTPS records corresponding to the URL they are accessing, and can follow the alias target by themselves. Not all clients behave this way yet, however.  To support such legacy clients, Universal DDI supports dynamically synthesizing A or AAAA resource records from an HTTPS record while processing A or AAAA queries.

To synthesize A/AAAA records from HTTPS records, complete the following:

  1. From the Infoblox Portal, click Configure > Networking > DNS, and click Global DNS Configuration
  2. On the Global DNS Configuration page, click Queries.
  3. Select the Synthesize A/AAAA record from HTTPS records check box. 
  4. Click Save & Close to save.

With enabling this, if the example.com zone has the following HTTPS record (but not A or AAAA records at the zone apex):

example.com. 7200 IN HTTPS 0 cdn.example.net.

And if the example.net zone has the following CNAME chain (a common setup for CDNs):

cdn.example.net. 300 IN CNAME cname.example.net.
cname.example.net. 300 IN A 192.0.2.1

Then, a type-A query for example.com will be responded to with the following A record:

example.com. 300 IN A 192.0.2.1

This is as if the example.com. zone has this A record at its zone apex.

For more information, see Creating an HTTPS Record and Creating an SVCB Record. 

Specifying Queries

By default, the application responds to DNS queries from any IP address. You can create a list of queries to which the application is allowed to respond. Restricting it to specific networks, IP addresses, named ACLs, and remote servers that present specified keys.

To configure a list of allowed queries for the application, complete the following:

  1. From the Infoblox Portal, click Configure > Networking > DNS, and click Global DNS Configuration
  2. On the Global DNS Configuration page, click Queries.
  3. In the ALLOW QUERIES FROM section, click Add to add or click Remove to remove the entries. Choose one of the following options from the TYPE drop-down list:  
    • Any Address/Network: Choose this option to allow or deny queries from any IP addresses or networks. The application replies to queries from all clients. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.
    • IPv4 Address: Choose this option to add an IPv4 address. Click the VALUE field and enter the IP address of the client from which the query originates. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • IPv4 Network: Choose this option to add a network to the list. Click the VALUE field and enter an IPv4 network address and type a netmask. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • Named ACL: Choose this option to add a named ACL that you want to use. Click the VALUE field and the list of named ACLs are displayed. If you have only one named ACL, the application automatically displays the named ACL. When you choose this, the application replies to DNS queries from clients matching the ACL. You can click Clear to remove the chosen named ACL.

    • TSIG KeyChoose an existing TSIG Key. For more information, see Configuring TSIG KeysThe PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    You can reorder the rows using the up and down arrows next to the table. 

  4. In the AAAA Filtering section, choose one of the following options:
    • Disabled
    • Enabled
    • Break DNSSEC
  5. After choosing the options in step 4, in the Remove AAAA in responses to section,  click Add to add or click Remove to remove the entries. Choose one of the following options from the TYPE drop-down list:  
    • Any Address/Network: Choose this option to allow or deny queries from any IP addresses or networks. The application replies to queries from all clients. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.
    • IPv4 Address: Choose this option to add an IPv4 address. Click the VALUE field and enter the IP address of the client from which the query originates. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • IPv4 Network: Choose this option to add a network to the list. Click the VALUE field and enter an IPv4 network address and type a netmask. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • Named ACL: Choose this option to add a named ACL that you want to use. Click the VALUE field and the list of named ACLs are displayed. If you have only one named ACL, the application automatically displays the named ACL. When you choose this, the application replies to DNS queries from clients matching the ACL. You can click Clear to remove the chosen named ACL.

    • TSIG KeyChoose an existing TSIG Key. For more information, see Configuring TSIG KeysThe PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.
  6. Extension Mechanism for DNS (EDNS) removes the limit of 512 bytes thereby avoiding fragmentation and packet loss for larger DNS messages sent over UDP. If the DNS messages sent over UDP are over 512 bytes, set an appropriate value to avoid DNS messages over UDP from getting fragmented. Configure the following: 
    1. Max Advertised UDP size: Specify the UDP size in bytes. This is the size of a UDP message that the DNS server advertises to other DNS servers. The default size is 1232 bytes. The maximum UDP size allowed to be configured is 4096 bytes. The minimum UDP packet size allowed to be configured is 512 bytes.

    2. Max UDP size sent: Specify the UDP size in bytes. This is the maximum number of bytes the DNS server will send in a UDP response. The default size is 1232 bytes. The maximum UDP size allowed to be configured is 4096 bytes. The minimum UDP packet size allowed to be configured is 512 bytes.

  7. Click Save & Close to save.


Note

If AAAA filtering is enabled, and Allow AAAA Records From is configured as Any Address/Network and Deny, the filter is considered as equivalent to being disabled.

Note

The Max Advertised UDP size and Max UDP Size sent for a NIOS-X Server can be verified in the DNS configuration file. Go to Manage > Infrastructure. Select the NIOS-X Server and click the NIOS-X Server Actions drop-down menu > Troubleshoot > DNS Configuration File. The Max Advertised UDP size is shown as edns-udp-size in the DNS configuration file. The Max UDP Size sent is shown as max-udp-size in the DNS configuration file.