Document toolboxDocument toolbox

Best Practices for DNS Forwarding Proxy

Owned by Shirly Tsang
Sept 13, 2023
2 min read

Internal Domains and Local Resolvers

When you deploy a DFP (DNS forwarding proxy), you can configure the service on a standalone host or on NIOS.

On a standalone DFP, you can configure internal domains and have queries for these domains sent to local resolvers, instead of BloxOne Cloud. However, if you configure DFP on NIOS, queries for these internal domains are sent to BloxOne Cloud, rather than to the local resolvers. Therefore, for DFP on NIOS, NXDOMAIN/SERVFAIL responses are sent to the DNS client because these domains do not exist in the cloud.

For standalone DFP, if you want to add internal domains, you must also add local resolvers to update the DFP configuration in the cloud. On the other hand, for DFP on NIOS, you are unable to specify a local DNS resolver because DFP on NIOS does not have a configuration to specify local resolvers. When you add a name server in the Name Server for DNS Forwarding Proxy field, the name server is used as a DNS resolver for internal name resolution, not for internal or bypass domains. As a result, for DFP on NIOS, Infoblox recommends that you create authoritative or forward zones for these internal domains. For more information, see Configuring DNS Zones.

Note

By default, when a new DFP is created, the default internal domains list is already associated with it. A maximum of 3000 internal domains can be synced or associated with a DFP. 

To add local resolvers and internal domains to DFP, see the following topic: Configuring DNS Forwarding Proxy Settings.

For information about DNS fallback and best practices, see Using DNS Fallback and Best Practices for Using DNS Fallback.

DNSSEC

DFP does not work with DNSSEC in case a request was redirected by BloxOne Threat Defense. If you are running DFP on NIOS, you must disable DNSSEC validation. DNSSEC validation is performed by BloxOne Threat Defense, regardless if the query comes from a DFP on NIOS, BloxOne DDI, standalone source or a BloxOne Threat Defense endpoint, or if the query is forwarded from a third party DNS server. Even if you disable DNSSEC validation, validation still takes place through BloxOne Threat Defense. For more information, see Using Forwarders

To enable DFP to work with DNSSEC in case a request was redirected by BloxOne Threat Defense, see Enabling DNS Forwarding Proxy to Work with DNSSEC.