Before you create a DFP (DNS forwarding proxy) service on NIOS, ensure that you understand the Best Practices for DFP on NIOS.

For details on deploying a DNS Forwarding Proxy (DFP) on a NIOS server, see NIOS Deployment.

A DNS Forwarding Proxy consists of the following three components:

• Internal and Fallback DNS Resolvers: An internal DNS resolver and fallback DNS resolver serve as key components in the DFP configuration. An internal resolver is an internal DNS server that is authoritative for internal domains. A fallback DNS resolver acts as a backup DNS resolver if DFP can no longer access the Infoblox platform.

• Internal Domain Lists: With DNS Forwarding Proxy, DNS queries are sent directly to the Infoblox platform. If you have internal domains that are served by local DNS servers and you want to reach them without interruptions, you should add them to the bypassed internal domains list. If you add them, DNS queries for these internal domains are sent to the local DNS servers instead of Infoblox Platform.

• PoP Settings: The DFP forwards to the Infoblox public Anycast IP addresses. This normally directs traffic through the PoP closest to the requesting location. However, routing issues on the internet mean that occasionally a DFP may be routed to a POP further aware which might result in longer latency and slower application response times. For performance reasons, you can choose a preferred PoP based in a specific region.

Configuring DFP Settings

To configure general DFP (DNS Forwarding Proxy) settings in the Infoblox Portal, specify the following:

• Internal and Fallback DNS Resolvers: Expand this and click Add to add an internal resolver that queries for internal domains are forwarded to and/or a fallback resolver that queries are forwarded to should the DFP loose the connection to Infoblox Platform or when Infoblox DNS fails to resolve requests.
  Complete the following to configure internal and fallback resolvers:

• ORDER: The order of precedence given an FQDN/IP Address (internal or external DNS resolver). Click and drag the up/down arrows associated with an internal resolver to change its precedence order.

  • FQDN/IP ADDRESS: Add an FQDN/IP Address is for the Internal or Fallback Resolver or both.

  • INTERNAL RESOLVER: An internal resolver would be used to resolve the DNS requests coming for the domain/IP present in the internal domains list. To configure the internal resolver, toggle the switch to the right to enable INTERNAL RESOLVER. Internal resolver is enabled by default. For information about internal resolvers, see DNS Forwarding Proxy Fallback to Local Resolvers.

  • FALLBACK RESOLVER: A fallback resolver is a backup DNS resolver used if the Infoblox platform fails to resolve the queries. For information about DNS fallback, see Using DNS Fallback.

  • DNS OVER TLS: DNS over TLS (DoT) is an encrypted DNS protocol using TCP port 853. DoT possesses a higher precedence order over unencrypted DNS. To configure DoT, toggle the switch to the right to enable DNS OVER TLS. DNS OVER TLS is disabled by default.

  • UNENCRYPTED DNS: Unencrypted DNS is DNS over UDP port 53 and TCP port 53. To configure unencrypted DNS, toggle the switch to the left to disable UNENCRYPTED DNS. UNENCRYPTED DNS is enabled by default. If both DNS OVER TLS and UNENCRYPTED DNS are selected, DoT will be used unless it fails to respond. If DoT fails to respond, the resolver will attempt unencrypted DNS instead.

• Internal Domains Lists: Expand and click Add to add an internal domain list to the DFP. For information about internal domain lists, see Configuring Internal Domains.
  Complete the following to configure the internal domains lists:

  • NAME (required): From the Select List menu, choose the internal domain list to add to the configuration. You can add multiple internal domain lists. Note that only available internal domain lists appear in the menu. To configure an internal domain list, see Configuring Internal Domains.

• PoP Settings: DNS service typically resolves and directs traffic through the closest PoP rather than through the one closest to the requesting location, which might result in longer latency and slower application response times. For performance reasons, you can choose a preferred PoP based in a specific region. The Infoblox Portal auto selection is ON by default. To enable preferred PoP, toggle the Auto Selection option to OFF. From the Point of Presence drop-down list, choose a preferred PoP.

Ensure that all required information is provided, and click Next to proceed to the next step. If any required information is left empty, an error icon will appear next to the page. To complete missing information, click Back. To exit without saving the configuration, click Cancel. If you have completed all edits and configuration, click Finish.

Configuring DFP Settings Using Encrypted DNS Protocols

To Configure DFP settings using encrypted DNS protocols, specify the following:

Internal and External DNS Resolvers: Expand this and click Add to add an internal or fallback DNS resolver to manage your DNS requests when connected to Infoblox platform.

External DNS Resolver: Select an external DNS resolver from the drop-down list of options. An external DNS resolver defines the DNS that will be used to resolve DNS queries and enforce security policies. The option to choose between the three options is available only for subscribers of both Federal and Threat Defense license. 

• Infoblox Threat Defense B1TD with fallback to the provisioned external resolvers: If Infoblox Threat Defense is not available, then DFP will fallback to the servers configured by the organization. This option is selected by default.

• Provisional external resolvers with fallback to B1TD Infoblox Threat Defense: If the external servers are not available, then DFP will fallback to Infoblox Threat Defense.

• Provisional external resolvers without fallback to B1TD Infoblox Threat Defense: If the external servers are not available, then DFP will NOT fallback to Infoblox Threat Defense.

For subscribers possessing only a Federal license, the third option will be selected by default and the option to choose either of the other two options is unavailable. In this case, there will be no drop-down list describing other options since access to Infoblox Threat Defense resolver requires a Infoblox Threat Defense license.   

DNS Forwarding Proxy can also be configured to transfer additional metadata such as IP address and MAC address to external servers.

Complete the following to configure external and internal resolvers:

Complete the following to configure local resolvers:

• ORDER: The order of precedence given an FQDN/IP Address (internal or external DNS resolver). Click and drag the up/down arrows associated with an internal resolver to change its precedence order.

• FQDN/IP ADDRESS: Add a FQDN/IP Address is for the Internal or External Resolver or both.

• INTERNAL RESOLVER: The internal resolver manages requests for all clients on your network. To configure the internal resolver, toggle the switch to the right to enable INTERNAL RESOLVER. INTERNAL RESOLVER is enabled by default.

• EXTERNAL RESOLVER: The external resolver is used when the primary server is unavailable. To configure the external resolver, toggle the switch to the right to enable EXTERNAL RESOLVER. EXTERNAL RESOLVER is disabled by default.

• DNS OVER TLS: DNS over TLS is an encrypted DNS protocol using port 853/tcpl. DNS over TLS possesses a higher precedence order over unencrypted DNS. To configure DNS over TLS, toggle the switch to the right to enable DNS OVER TLS. DNS OVER TLS is disabled by default.

• UNENCRYPTED TLS: To configure unencrypted TLS, toggle the switch to the left to disable UNENCRYPTED TLS. UNENCRYPTED TLS is enabled by default.

DNS Forwarding Proxy can also be configured to transfer additional metadata, including IP address and MAC address, to external servers. .

Internal Domains Lists: Expand and click Add to add an internal domain list to the DFP. If you have internal domains that are served by local DNS servers and you want to reach them without interruptions, you should consider adding them to the bypassed internal domains list. If you add them, DNS queries for these internal domains are sent to the local DNS servers instead of Infoblox Platform. Alternately, you can search for a specific internal domains list by entering its name in the search field. For information about internal domain lists, see Configuring Internal Domains.

Complete the following to configure the internal domains lists:

• NAME (required): From the Select List menu, choose the internal domain list to add to the configuration. You can add multiple internal domain lists. Note that only available internal domain lists appear in the menu. To configure an internal domain list, see Configuring Internal Domains.

• PoP Settings: DNS service typically resolves and directs traffic through the closest PoP rather than through the one closest to the requesting location, which might result in longer latency and slower application response times. For performance reasons, you can choose a preferred PoP based in a specific region. The Infoblox Portal auto selection is ON by default. To enable preferred PoP, toggle the Auto Selection option to OFF. From the Point of Presence drop-down list, choose a preferred PoP.

Ensure that all required information is provided, and click Next to proceed to the next step. If any required information is left empty, an error icon will appear next to the page. To complete missing information, click Back. To exit without saving the configuration, click Cancel. If you have completed all edits and configuration, click Finish.

The configured DNS Forwarding Proxy settings can be viewed on the DNS Forwarding Proxy wizard’s Summary page.

For information on all steps required in creating and configuring DNS Forwarding Proxy Services, see Creating DNS Forwarding Proxy Services.

For information on editing or modifying DNS Forwarding Proxy Services, see Editing DNS Forwarding Proxy Services.