Document toolboxDocument toolbox

NIOS Deployment

Owned by Shirly Tsang
Last updated: Sept 06, 2024 by Gary Leicht
4 min read

To deploy DFP (DNS Forwarding Proxy) on a NIOS appliance, ensure that your Grid or Grid member is running NIOS 8.5 or above. When you run DFP as a service on a Grid member, it forwards recursive queries to Infoblox Platform. The DFP also caches responses to speed up DNS resolution for future queries. Ensure that port 443 is open against its respective domain for DNS forwarding proxy to work between NIOS and Infoblox Platform.

To deploy DFP on a NIOS member, complete the following procedures:

Setting Up NIOS Member as a Host

To set up the Grid member as a host, complete the following:

  1. Log in to the infoblox Portal.
  2. Create a join token, as described in Creating Join Tokens. In an HA environment, create two hosts. You must ensure that the configurations for both hosts are the same for the HA nodes to work seamlessly. Save the join token, for use in the NIOS configuration.
  3. Log in to the NIOS Grid Manager.
  4. Grid: On the Grid tab, click the Grid Manager tab > Grid Properties > Edit.
  5. In the Grid Properties editor, click CSP Config on the left navigation and complete the following: 
    • Join Token: Copy the join token that you created in the Infoblox Portal.
    • CSP Resolver: Displays the IP address of the local DNS resolver. This IP address or DNS is used to resolve Infoblox domains when the DFP service starts. You must configure at least one external resolver that will be used to resolve all required domains. If you do not enter an IP address, 52.119.40.100 is used as the default.
    • HTTP proxy: Enter the URL of the proxy server in the http://<IP/host>:<port> format. When you update the HTTP proxy, the NIOS on-prem agent updates it to the other on-prem containers by restarting the containers at a specific interval which can cause a maximum delay of 15 minutes. 
  6. Click Save & Close.
  7. Member: On the Grid tab, click the Grid Manager tab > Members tab > member checkbox > Edit.
  8. In the Grid Member Properties editor, click CSP Config on the left navigation and complete the following. To override an inherited property, click Override next to it and enter the value for the appropriate fields if you do not want to inherit the values from the Grid. Once you override, the settings are applicable only at the member level.
    1. Join Token: Displays the join token value that is inherited from the Grid. However, if the field is empty, the platform connection is not to be terminated.

    2. CSP Resolver: Displays the Infoblox Portal resolver value that is inherited from the Grid.

    3. HTTP Proxy: Displays the URL that is inherited from the Grid.

    4. Standalone: Select this option when the member is standalone.

      1. Access Key: You cannot edit the value of this field; you can only clear it. Clearing the access key value does not terminate the platform connection.

    5. HA Enabled: Select this option when the member is an HA.
      1. Access Key: You cannot edit the value of this field; you can only clear it. In case of a NIOS upgrade, the access keys are the same for both the active and passive nodes. 
  9. Click Save & Close. 
  10. On the Grid tab, click Grid Manager tab > DFP tab > member checkbox > Edit icon.
  11. In the Member DFP Properties editor, select the Fallback to the default resolution process if Infoblox Threat Defense does not respond checkbox to forward recursive queries to the local root name servers in case the NIOS member loses connection with Infoblox Platform or if Infoblox Platform DNS fails to resolve recursive queries. For newly configured DNS forwarding proxies in NIOS, Infoblox recommends that you keep this option selected until you have verified that the NIOS proxies are functioning properly.
  12. In the Infoblox Portal, go to Manage > Infrastructure > Hosts to ensure that the status for the NIOS proxy that you have created are active.

Note

  • If you have upgraded to NIOS 8.5.x with DNS forwarding proxy service running on any node, Infoblox recommends that you do not remove any NIOS hosts from the Infoblox Portal because NIOS preserves the Access Key during the upgrade, and the NIOS Grid member connects to the Infoblox Portal using the same access key. Note that the value of the Access Key field in NIOS is the same as the API key that is displayed in the Infoblox  Portal.
  • You must create a join token to authenticate a virtual DNS forwarding proxy for establishing a connection to the platform. For more information on creating a join token, see Configuring Join Tokens.

Deploying DFP on the NIOS Host

After you set up a NIOS host, you can create a DFP service instance for the host or apply an existing DFP template to the host.

To deploy a new DFP service on the NIOS host, complete the following:

  1. Log in to the Infoblox Portal.
  2. Click Manage > Infrastructure > Hosts.
  3. Review the list of hosts to ensure that the host you just set up is active.
  4. Click the Services tab.
  5. From the Create Services drop-down menu, select DNS Forwarding Proxy.
  6. Complete the following steps to run the DFP service on the host.
    Note: Ensure that you select the host on which you plan to run the DFP service when you configure general information.
    1. Configuring General Information
    2. Binding Network Intefaces
    3. Configuring DNS Forwarding Proxy Settings
    4. Viewing Configuring Summary.

Alternatively, you can apply an existing template containing DFP configuration you want to use to the newly created host. To apply an existing DFP service using a template, following the instructions as described in Applying Templates to Hosts.

For information about other deployment options, see the following:

For more information about DFP, see the following: