Using DNS Forwarding Proxy
- Gary Leicht
- Shirly Tsang
To protect your enterprise networks from DNS-based cyber attack, you can deploy a DFP (DNS forwarding proxy) to secure DNS traffic between your on-premises networks and Infoblox Platform. The DFP is a recursive DNS server configured to forward DNS queries to Infoblox Platform on behalf of a DNS client. Essentially, Infoblox Platform sends DNS responses to the DFP, and the DFP then sends the responses back to the client. After the DFP builds up a cache of information, it starts to use information in the cache to resolve queries, in addition to forwarding them. This improves client experience by reducing response time and traffic over the internet.
The DFP communicates with Infoblox Platform using DoT over custom TCP port 443 (DNS over Transport Layer Security). Infoblox does not use the standard DoT port on DFP or Infoblox Endpoint. All other requests sent by standard DNS resolvers, DNS servers, and external networks to Infoblox Platform will not be encrypted and the communication occurs over port 53.
The following illustration describes a high-level view of the DFP operation:
.png?version=1&modificationDate=1725606711245&cacheVersion=1&api=v2)
Diagram: The DNS Forwarding Proxy running the DFP service sends DNS queries through an on-premises DNS firewall to the Infoblox Anycast DNS Server. The communication between the DNS Forwarding Proxy and the Infoblox Platform is secured using DNS over TLS, ensuring that the DNS queries and responses are encrypted.
Implementation Recommendations for DoT
Infoblox recommends that organizations block direct DNS traffic, including DNS over TLS (DoT), between internal IP addresses and external DNS servers. This strategy helps prevent the operation of certain malware types, such as DNSChanger, by ensuring that internal devices must use the organization's own DNS infrastructure. This managed DNS setup can enforce name resolution policies through security features like Response Policy Zones (RPZs), enhancing network protection.
Blocking standard DNS and DoT traffic between internal IP addresses is simple. Firewall rules like the following should suffice:
allow tcp/udp in/out on port 53
…
deny tcp/udp in/out to all IP addresses on port 53
deny tcp/udp in/out to all IP addresses on port 853
If a host cannot reach the Infoblox Anycast DNS server for any reason, it will send requests to a local DNS resolver that protects DNS clients by security RPZ (DNS Firewall) feeds (if on-prem DNS firewall is configured for the NIOS Grid). If the intent is to fall back the queries in these conditions, then the DNS fallback resolver should be configured. DNS forwarding proxy fallback to the DNS server is used as an end point when the primary server is unavailable. The fallback to a local DNS server option (instead of the default DNS resolution path) can be used in situations where Infoblox Platform is unreachable.
You can deploy DFP as a service on physical Infoblox appliances, virtual appliances, and NIOS appliances in your enterprise network. To deploy a DFP, you first set up an Infoblox host, and then create a DFP service instance and apply it to the host. Once you set up the DFP, DNS queries are sent directly to Infoblox Platform. If you have internal domains that are served by local DNS servers and you want to reach them without interruptions, you should consider adding them to the bypassed internal domains list. When you add them, DNS queries for these internal domains are sent to the local DNS servers instead of Infoblox Platform.
- Connectivity Rules for DNS Forwarding Proxy
- Best Practices for DFP on NIOS
- Deploying DNS Forwarding Proxy
- Response Rate Limiting
- Adding Internal Resolvers and Internal Domains to DNS Forwarding Proxy
- Anycast Support for DNS Forwarding Proxy
- Viewing DNS Forwarding Proxy Service Level Logs
- Using DNS Fallback