Document toolboxDocument toolbox

Endpoint Protected Bypass Mode

Owned by Gary Leicht
Last updated: Sept 06, 2024
5 min read

Infoblox Endpoint bypass in combination with FQDN and a probe token, are used by Infoblox Endpoint to identify that Endpoint is on-prem and is following the configured on-prem policies. To verify Infoblox Threat Defense probe responses, Infoblox Endpoint periodically sends DNS queries from a non-resolvable probe domain to default resolvers to avoid the possibility of “spoofed” responses. In cases where a domain is not expected to resolve, then any subdomains of the domain will also not resolve. For instance, if some-domain.com is configured as a probe domain, then mail.some-domain.com would also not resolve.

The probe token can be auto-generated or custom configured. By making the probe configurable rather than static, additional safeguards are provided that protect against potential hijacking attempts. A Infoblox Endpoint probe domain and associated probe token are configured during the protected bypass mode configuration process.

By enabling Infoblox Endpoint protected bypass mode for a Infoblox Endpoint group, you can define your own domain and response for on-prem DNS service protected by DNS Firewall. With deployed DNS forwarding proxies (in auto mode), a unique and hashed response using a probe token is used to detect if an endpoint is in a protected environment. By design, because DNS is used, the probe domain is resolvable. If the endpoint is in a protected environment, then it must adhere to the policies defined for the location. When configuring Infoblox Endpoint groups for use with the endpoint probe using a probe token, the following must be taken into consideration:

  • Bypass Mode: You must enable bypass mode at the group level so that the bypass configuration can be used. The bypass mode setting is inherited whenever a new endpoint group is created. The user can change the settings at a group level. The group level setting will override the setting established at the default endpoint group setting. The bypass code must be provisioned on the Infoblox Platform. 
  • FQDN: A fully qualified domain name or FQDN must be selected at the time of configuration. The FQDN can either be the default probe domain (i.e. probe.infoblox.com), or customized based on your requirements. The FQDN should be unique so there will be no interference with DNS resolution; e.g. do not designate it is as an SLD (example.com), as you will not be able to resolve other SLD records. If you choose to use a customized probe domain, ensure that it can be resolved with the defined TXT record.

  • TXT Record: A TXT record to be prepended to the FQDN must be created when generating a probe token or randomly generated by clicking Generate random TXT record during the configuration. You can also define a custom TXT record to accompany a custom probe domain to ensure that the domain can be resolved.

The probe token supports two modes: automatic and manual. In automatic mode, clicking Generate random TXT record generates a new random label to be prepended to the default domain. In manual mode, a custom domain and TXT record for the probe token are custom defined and supplied. A custom created TXT record can be up to 256 characters in length. Customers can also choose to disable probing requests entirely by disabling protected bypass mode for an endpoint group.

Of the two options, automatic mode is the most secure. When using automatic mode, the Infoblox client will send different queries and receive different responses for each query. In automatic mode, potential attackers will not be able to spoof the client. Automatic mode is intended for use where external attackers can potentially flood local DNS servers with fake responses, in scenarios where hackers can potentially gain access to a local DNS Server, or where DFP already exists in the network. Manual mode is intended for use in specific environments (NIOS), where DFP is not in use in the network, or where DFP already exists elsewhere in the network and predefined probe domain and response are to be custom configured.

Enabling Probe Requests by Adding Protected Bypass Mode to a Infoblox Endpoint Group                             

When applying security policies to multiple Infoblox Endpoint devices, you can make the process more efficient by organizing the endpoint devices into Infoblox Endpoint groups, and then add the groups to the network scope when you create a security policy. Note that Infoblox comes with a default endpoint group called All Infoblox Endpoints (default) that is associated with the default global policy. You cannot modify or remove the default endpoint group.

Warning

Infoblox does not recommend configuring a subdomain in Infoblox Endpoint if the parent domain already exists as a member of a different Infoblox Endpoint group. For example, if the domain abc.com already exists in another Infoblox Endpoint group, then do not add subdomains of the domain to additional Infoblox Endpoint groups. For example, xyz.abc.com should not be added to additional Infoblox Endpoint groups. 

To enable probe requests in a Infoblox Endpoint group, complete the following:

  1. From the Infoblox Portal, click Configure > Security > Endpoints.

  2. On the Endpoints page, select the Endpoint Groups tab, and then click the Add button. Do note that at least one Infoblox Endpoint must be added to the configuration prior to configuring and enabling protected bypass mode.

  3. In the Bypass Mode section of the Create Endpoint Group page, complete the following:

    1. State: Enable protected bypass mode from its default disabled state by switching the toggle from Disabled to Enable.
    2. FQDN: The default probe domain is probe.infoblox.com. You can choose to accept the default or create your own FQDN based on your requirements. If you choose to use a custom probe domain, ensure that it can be resolved with a custom TXT record. The FQDN should be unique so there will be no interference with DNS resolution; e.g. do not designate it is as an SLD (example.com), as you will not be able to resolve other SLD records.

    3. TXT Record: You can choose to accept the default TXT record, generate a random TXT record by clicking Generate random TXT Record, or apply a custom TXT record. To avoid conflict between two TXT records, If using a  custom TXT record instead of using the provided defaults, ensure that the custom probe domain can be resolved based on the information in the custom TXT record.

  4. Click Save & Close to create the endpoint group or click Cancel to return to the Infoblox  Endpoint Group page without enabling protected bypass mode and probing.

Enabling Infoblox Endpoint Protected Bypass Mode on Windows Devices Enabled by Default

By default, Windows devices come with Smart Multi-Homed Name Resolution (SMHN) enabled. This causes DNS requests to be sent across all network interfaces. When a VPN connection is established, it allows all connected devices to resolve TXT records. For effective internal network detection, it is necessary to disable SMHN on Windows laptops. This can be achieved either automatically through the VPN software or manually via group policy settings. If the VPN client does not automatically disable SMHN upon connection, administrators should manually disable it using group policy configurations. 

Disabling Probing Requests

Probing requests can be discontinued by disabling Bypass mode. To disable probing requests, complete the following:

  1. From the Infoblox Portal, click Configure > Security > Endpoints.
  2. On the Endpoints page, select the Endpoint Groups tab, and then click the Add button.
  3. In the Bypass Mode section of the Create Endpoint Group page, toggle the State switch from Enabled to Disable
  4. Click Save and Close to save the configuration or click Cancel to return to the Infoblox  Endpoint Group page without disabling protected bypass mode and probing requests.

For information on creating endpoint groups, see Creating Endpoint Groups.