/
Connectivity Rules for DNS Forwarding Proxy
Document toolboxDocument toolbox

Connectivity Rules for DNS Forwarding Proxy

Owned by Shirly Tsang
Last updated: Jan 22, 2025 by Gary Leicht

The DFP makes its connection with Infoblox Platform-based on the following rules and conditions:

  • By default, the DFP has provisioned the following four IPv4 global addresses. The DFP monitors the health status of these addresses and sends DNS requests to the first available and healthy address in the following order. In other words, if the first IP address (103.80.6.100) is available but has an unhealthy status, it moves on to the second IP address (103.80.5.100) to establish a connection with Infoblox Platform provided that the address is reachable and has a healthy status. Note that the DFP performs periodic health checks on these addresses. 

    1. 52.119.41.100
    2. 103.80.6.100
    3. 52.119.40.100
    4. 103.80.5.100

  • The 52.119.41.100, and 103.80.6.100 IP addresses are provisioned under AWS Anycast, so a DNS client can connect to the nearest AWS entry location. Once a connection is established, the client is routed via AWS to the nearest PoP (Point of Presence). If the nearest PoP is not reachable, the client is forwarded to another PoP based on the rules described in the first bullet.
  • The 52.119.40.100, and 103.80.5.100, IP addresses are routed using Anycast only, and they use a different architecture so the traffic is routed via third-party networks to a PoP. The 52.119.40.100 and 103.80.5.100 addresses are considered legacy.
  • The Local On-Prem resolution option in Security Policies for NIOS-X servers requires the NIOS-X server to have TCP 443 access to ope.infobloxtd.com at 52.119.41.120 and 103.80.6.120 as the lookups are done via API.
  • If you have defined a PoP for the DFP, only AWS addresses for that PoP are used while everything else works as described in the previous bullets. This connection creates a fail-open architecture. For example, if the PoP in Tokyo is provisioned for the DFP and it is not available, the traffic will be automatically routed to the next PoP based on the user/DFP location.

The following illustration describes the connection rules for the DFP:

The diagram depicts a process where a DNS client interacts with a DNS Forwarding Proxy.
DiagramThe diagram depicts a process where a DNS client interacts with a DNS Forwarding Proxy (DFP) to establish a connection with the nearest Point of Presence (PoP). The DFP has a list of provisioned IP addresses. Initially, the DFP attempts to contact the first IP on the list, but it is marked as unhealthy. The DFP then tries the next provisioned IP address, which is available and healthy.



For more information, see the following: