Appendix D: Infoblox Threat Defense API Guide

Infoblox Threat Defense uses Swagger to publish and deliver its APIs. For a list of available APIs, first log in to the Infoblox Portal, and then click the following link:

Anycast capability enables HA (High Availability) configuration of Infoblox applications that run on equipment located on customer’s premises (on-prem hosts). Anycast supports DNS, as well as DNS-forwarding services.

Anycast-enabled application setups use multiple on-premises installations for one particular application type. Multiple application instances are configured to use the same endpoint address. Anycast capability is collocated with such application instance, monitoring the local application instance and advertising to the upstream router (a customer equipment) a per-instance, local route to the common application endpoint address, as long as the local application instance is available. Depending on the type of the upstream router, the customer may configure local route advertisement via either BGP (Boarder Gateway Protocol) or OSPF (Open Shortest Path First) routing protocols. Both protocols may be enabled as well. Multiple routes to the common application service address provide redundancy without the need to reconfigure application clients.

Should an application instance become unavailable, the local route advertisements stop, resulting in withdrawal of the route (in the upstream router) to the application instance that has gone out of service and ensuring that subsequent application requests thus get routed to the remaining available application instances.

Infoblox FW API (Infoblox Threat Defense)

FW API

Detailed information for the Infoblox FW API can be viewed on at
Infoblox FW Swagger API Guide

Infoblox Threat Defense is an extension of the Infoblox Platform that provides visibility into infected and compromised off-premises devices, roaming users, remote sites, and branch offices. You can subscribe to Infoblox Infoblox Threat Defense and use its functionality to mitigate and control malware as well as provide unprecedented insight into your network security posture and enable timely action. Infoblox Platform also offers unified policy management, reporting, and threat analytics across the entire spectrum. Using automated and high-quality threat intelligence feeds and unique behavioral analytics, it automatically stops device communications with C&Cs/botnets and prevents DNS based data exfiltration.

The mission-critical DNS infrastructure can become a vulnerable component in your network when it is inadequately protected by traditional security solutions and consequently used as an attack surface. Compromised DNS services can result in catastrophic network and system failures. To fully protect your network in today’s cyber security threat environment, Infoblox sets a new DNS security standard by offering scalable, enterprise-grade, and integrated protection for your DNS infrastructure.

Through the Infoblox Portal, you can view the status of your subscription and threat intelligence feeds, manage your network scope and roaming end users, and learn more about threats on your networks through the Infoblox Threat Lookup tool and predefined reports.

Infoblox Endpoint API

ENDPOINT API

EP API

Detailed information for the Infoblox Endpoint API can be viewed on at
Infoblox Endpoint Swagger API Guide

Infoblox Endpoint is a lightweight mobile agent that redirects DNS traffic from your remote devices to Infoblox Threat Defense. It allows you to apply applicable security policies to your roaming end users in remote sites and branch offices.

In order for end users to connect to Infoblox services, you must download and install Infoblox Endpoint on their devices. The client enforces security policies that are applied to remote networks, regardless of where your end users are located, and to which networks they are connected. Infoblox Endpoint listens on port 53 of the device. If other software listens on the same port, DNS traffic cannot be redirected to Infoblox Threat Defense, and your device will not be protected by Infoblox Endpoint.

When you use Infoblox Endpoint, DNS queries are sent to Infoblox Threat Defense directly except for (1) queries that target the bypassed domains and (2) internal domains collected through the DHCP server. If you have internal domains that are served by your local DNS servers and you want to reach them without interruptions, you should consider adding them to the bypassed internal domains list so that DNS queries for these internal domains are sent to the local DNS servers instead of Infoblox Threat Defense.

Infoblox Endpoint supports dual-stack IPv4 and IPv6 DNS configurations, thereby protecting all devices regardless of their network environments. Infoblox Endpoint in a dual-stack environment is able to proxy IPv6 DNS queries and forward them to Infoblox Platform over IPv4.

Infoblox Platform DFP API (DNS Forwarding Policy)

DFP API

Detailed information for the Infoblox Platform DFP API can be viewed on at
Infoblox DNS Forwarding Proxy Swagger API Guide

Infoblox Platform is a SaaS offering designed to provide protection to devices on and off-premises, including roaming, remote, and branch offices. It provides visibility into infected and compromised devices, prevents DNS-based data exfiltration, and automatically stops device communications with command-and-control servers (C&Cs) and botnets, in addition to providing recursive DNS services in the cloud. You can access the services by deploying Endpoint agent or the DNS forwarding proxy.

For remote office deployments, or in cases where installing an endpoint agent is not desirable or possible, you can use the DNS forwarding proxy. It is a software application that runs on bare-metal, VM infrastructures, or Infoblox NIOS appliances, and embeds the client IPs in DNS queries before forwarding them to Infoblox Platform. The communications are encrypted and client visibility is maintained. The proxy also provides DNS resolution to local DNS zones when you configure local resolvers. Once you set up a DNS forwarding proxy, it becomes the main DNS server for your remote site. It will also cache responses to speed resolution of future queries.

By implementing the DNS forwarding proxy, you can rest assured that Infoblox Platform effectively enforces DNS client-based security policies at your remote sites. On-premises devices that send DNS queries reveal their actual client IP addresses (instead of their NAT IP address), thus allowing Infoblox Platform to apply the security policies applicable to the respective endpoints and identify infected clients.

Infoblox LAD API (Infoblox Lookalike Domains)

LAD API

Detailed information for the LAD API can be viewed on at
Infoblox Lookalike Domains Swagger API Guide

Infoblox LAD is an extension of the Infoblox Platform that provides lookalike domains detection. You can subscribe to Infoblox LAD and use its functionality to protect domains from spoofing threats.

Infoblox Dossier API (Dossier and TIDE)

Dossier API

Detailed information for the Dossier API can be viewed on at
Infoblox Dossier Swagger API Guide

Dossier, sometimes referred to as Intel Lookup, is a threat research tool that provides contextual information from multiple sources simultaneously for a given indicator. The APIs listed below allow a user to search on specific sources and view the results that they return.

TIDE Data Service API (TIDE Data)

TIDE Data API

TIDE Data Service API

Detailed information for the TIDE Data API can be viewed on at
Infoblox TIDE Swagger API Guide

The heart of TIDE is the threats submitted by the Infoblox Cyber Intelligence group and external partners.

There are two main categories of bulk threat data retrievable in TIDE: threat state and threats by age. Threat state consists of records that are considered current threats, that is, threats that have not expired and have not been superseded by newer threats for the same indicator (host name, IP address, URL, hash, or email). Threats by age consists of all threats submitted in a specified time period.

If the same indicator was submitted by a data provider four times in one day, a threats-by-age call for daily results would return four records, while a threat state call would return only one, the most recent one submitted.

TIDE threat data is generally event oriented. Sometimes it is necessary instead to see threats by their current state, that is, threats that have not expired and have not been superseded by newer threats for the same indicator (host name, IP address, URL, hash, or email).

The materialized threat state objects contain the current active threats for all indicators of the specified record type. Threat state objects are materialized multiple times an hour.

Note

API key expiration notification: The maximum expiration time for an API key is 56 weeks or 13 months. You will receive notification when your API key is about to expire. A new API key will need to be created to replace the expiring key. To create a new API key, select the expiring API key from the list of API keys and remove it by clicking Disable followed by Delete. To create a new API key to replace an expiring api key, see How Do I Create an API Key.

Additional API Resources

Listed below are additional API resources.

DNS Event

BloxOne Threat Defense