Document toolboxDocument toolbox

Configuring DNS Forwarding Proxy and Universal DDI DNS

Owned by Sri Raghu
Last updated: Sept 06, 2024
2 min read

Universal DDI allows you to deploy both DNS forwarding Proxy and Universal DDI DNS on the same NIOS-X Server. After you have deployed the NIOS-X Server, you can enable and disable the DNS forwarding proxy and the DNS services based on your business requirements. 

To deploy both DNS forwarding proxy and Universal DDI DNS on the same NIOS-X Server, complete the following:

  1. Obtain the BloxOne Threat Defense and Universal DDI licenses from Infoblox.
  2. Deploy Universal DDI, as described in Deploying DDI.
  3. Enable the DNS forwarding proxy and Universal DDI DNS services based on your business requirements, as described in Configuring Services.

The following sections describe the supported configurations when you have DNS forwarding proxy and Universal DDI DNS on the same NIOS-X Server.

Enabling Only the DNS Forwarding Proxy Service

When you enable only the DNS forwarding proxy service and disable the Universal DDI DNS services on the same NIOS-X Server, consider the following:

  • The DNS forwarding proxy, not Universal DDI DNS, provides DNS service to all DNS clients.
  • The DNS forwarding proxy listens on port 53.
  • The DNS forwarding proxy returns NXDOMAIN, if you have set up the security policy to block certain domains on BloxOne Cloud. For information about BloxOne Cloud, see About Infoblox Threat Defense.

Enabling DNS Forwarding Proxy and Universal DDI DNS Services


When you enable both the DNS forwarding proxy and Universal DDI DNS services on the same NIOS-X Server, consider the following:

  • Both DNS forwarding proxy and Universal DDI are providing DNS service to the DNS clients.
  • Universal DDI forwards all recursive DNS queries to the DNS forwarding proxy.
  • Universal DDI listens on port 53 and DNS forwarding proxy listens on port 1053.
  • The DNS forwarding proxy listens on port 1053 and forward all recursive queries to BloxOne Cloud.
  • Universal DDI returns NXDOMAIN if you have set the security policy to block certain domains on BloxOne Cloud because the DNS response comes directly from the DNS forwarding proxy.
  • If you have configured forwarders in the global DNS configuration or DNS profile, the DNS forwarding proxy overrides that configuration.
  • The DNSSEC validation is set to "no" even if you have enabled DNSSEC on the NIOS-X Server.

The following illustration gives an overview of how DNS forwarding proxy and Universal DDI DNS handle DNS queries: