Document toolboxDocument toolbox

Best Practices for Using DNS Fallback

Owned by Shirly Tsang
Last updated: Sept 07, 2024 by Gary Leicht
3 min read

The provided information is for reference only. It represents the results of lab testing in a controlled environment focused on individual protocol services. Enabling additional protocols, services, cache hit ratio for recursive DNS, and customer environment variables will affect performance. To design and size a solution for a production environment, please contact your Infoblox Solution Architect.


When you configure DNS fallback, consider the best practices for the following scenarios.

Notes

  • When configuring network scopes for Infoblox Threat Defense, ensure that you properly configure DNS fallback to receive full DNS protection.
  • DO NOT use the Infoblox-provided anycast IP addresses for DNS fallback purposes.
  • The DFP fallback resolvers configured in the Infoblox Portal do not use geo-based algorithms. 
  • When DFP is configured using multiple fallback resolvers, DFP uses sequential logic for fallback servers and it will go to the next available server when any failures are identified on the preceding fallback server. 
  • Infoblox requires the configuration of a fallback DNS service in the unlikely event that communications to the Infoblox network are disrupted. 

DFP on NIOS

  • If you are running DFP (DNS Forwarding Proxy) on a NIOS host, Infoblox strongly recommends that you use the NIOS fallback mechanism by selecting the Fallback to the default resolution process if Infoblox Threat Defense does not respond checkbox in the Member DFP Properties editor of the Grid Manager UI. For more information, see Using DNS Fallback.
  • When you enable NIOS fallback on the NIOS DFP, ensure that NIOS DNS server has unrestricted access to the internet on UDP/TCP port 53 for the fallback to function properly (even if you have configured DNS forwarders). The NIOS DNS server must first reach the root name servers, TLD (Top Level Domain) servers, and then finally the authoritative name servers to find responses to DNS queries.

Note

Use this option ONLY if the DNS servers are allowed to send queries to the internet.

  • If you cannot enable the root servers or if the root servers are not reachable, you can enable DNS protection by enabling Fallback Resolver when configuring local resolver on your DFP service instance. For information, see Using DNS Fallback.

Standalone DFP

  • When configuring a standalone DFP, Infoblox recommends that you enable DNS fallback in the DNS Forwarding Proxy settings of the DFP service. For information, see Configuring DNS Forwarding Proxy Settings.
  • Ensure that UDP/TCP port 53 is accessible from the DFP for DNS fallback to function properly.
  • DO NOT configure any of the Infoblox-provided anycast IP addresses for DNS fallback purposes.
  • If you are using encrypted DNS or encrypted DNS over TLS, configure DNS fallback according to the instructions in the Configuring DFP Settings Using Encrypted DNS Protocols section in Configuring DNS Forwarding Proxy Settings.

To properly configure DNS fallback, add the fallback addresses as described below:

  1. Log in to the Infoblox Portal.
  2. Go to Manage > Infrastructure > Services.
  3. Select the DFP service on which you want to configure DNS fallback, and then click Edit.
  4. Click the DNS Forwarding Proxy tab and expand the Internal and Fallback Local Resolvers section.
  5. Click Add to add the FQDN/IP addresses of any recursive DNS servers that you plan to use as the DNS fallback servers. Ensure that you do not use any of the Infoblox-provided anycast IP addresses for DNS fallback.
  6. Enable the Fallback Resolver option for all addresses.
  7. Click Next and then click Save & Close.