Document toolboxDocument toolbox

Infoblox DNS Firewall

Owned by Aliaksei Shautsou (Deactivated)
Last updated: Dec 09, 2022 by Shwetha S
4 min read

Note

From NIOS 9.0 onwards, IB-4030 and IB-4030-10GE appliances are not supported.
Similar features and functionalities are available on software-based DNS Cache Acceleration appliances, and it is recommended to use the software-based DCA supported appliances. For a list of supported appliances, see as described in Supported DNS Cache Acceleration Appliances.

Infoblox DNS Firewall employs DNS RPZ (Response Policy Zones), a technology developed by ISC (Internet System Consortium) for allowing reputable sources to dynamically communicate reputation domain names so you can implement policy controls for DNS lookups.
You can configure RPZs on an IB-4030 or IB-4030-10GE member and define RPZ rulesets to block DNS resolutions for malicious or unauthorized domain names. For information 
To configure Response Policy Zones, you must install a valid RPZ Enablement license.


To configure local RPZ and RPZ feed, see the NIOS Documentation at docs.infoblox.com. You can assign an IB-4030 or IB-4030-10GE member that has DNS cache acceleration enabled as a Grid primary or secondary for the local RPZ. For an RPZ feed, you can assign an IB-4030 or IB-4030-10GE member as a Grid secondary or Grid lead secondary.
The Local RPZs or RPZ feeds do not support DDNS updates. For more information, see the NIOS Documentation at docs.infoblox.com.


VLAN Tagging support

The DNS Cache Acceleration appliance supports VLAN (Virtual Local Area Network) interfaces on LAN1, LAN2, and HA ports. Only the DNS service can listen on the VLAN interfaces. You can define default route on VLAN, LAN1 and LAN2 interfaces. For more information about configuring VLAN interface, see the NIOS Documentation at docs.infoblox.com.
You can use the set network command to set the primary IPv4 and IPv6 LAN1 networks as a tagged or an untagged VLAN interface. To view the VLANs on each port, use the show interface command. The appliance allows you to use the VLAN interface from LAN1 to be used as an advertising interface for OSPF. For more information, see the NIOS Documentation at docs.infoblox.com.

Limitations of VLAN on IB-4030 or IB-4030-10GE

Following are the limitations of VLAN interface on a DNS Cache Acceleration appliance:

  • The appliance does not support overlap of addresses or networks across VLANs.
  • You cannot update member network properties when a scheduled upgrade is in progress.
  • The appliance does not support SNMP interface statistics and traffic report statistics for accelerated DNS traffic over tagged VLANs as this may lead to performance overheads.

Enabling VLAN Support Using CLI Commands

You can use the set network command to set the primary IPv4 and IPv6 LAN1 networks as a tagged or an untagged VLAN interface.
Example:

Infoblox > set network
NOTICE: All HA configuration is performed from the GUI. This interface is
        used only to configure a standalone node or to join a Grid.
Enter IP address: 10.35.1.120
Enter netmask [Default: 255.255.0.0]: 255.255.0.0
Enter gateway address [Default: 10.35.0.1]: 10.35.0.1
Enter VLAN tag [Default: Untagged]: 110
Configure IPv6 network settings:
Enter IPv6 address [Default: 2620:10a:6000:2400::178]:
2620:010A:6000:2400:0000:0000:0000:6508
Enter IPv6 Prefix Length [Default: 64]: 64
Enter IPv6 gateway [Default: 2620:10a:6000:2400::1]:
2620:010A:6000:2400:0000:0000:0000:0001
Enter VLAN tag [Default: Untagged]: 110
NOTE: Configure of IPv4/IPv6 pure mode can be performed only via GUI.
Become grid member? (y or n):

You can execute the show network command to view the VLAN ID and tagged networks.
Example:

Infoblox > show network
Current LAN1 Network Settings:

IPv4 Address:               10.35.1.154
Network Mask:               255.255.0.0
Gateway Address:            10.35.0.1
VLAN Tag:                   Untagged
IPv6 Address:               2620:10a:6000:2400::19a/64
IPv6 Gateway Address:       2620:10a:6000:2400::1
IPv6 VLAN Tag:              Untagged
HA enabled:                 false
Grid Status:                Master of Infoblox Grid

Current Management Network Settings:

Management Port enabled:        true
Management IPv4 Address:        10.36.1.154
Management Netmask:             255.255.0.0
Management Gateway Address:     10.36.0.1
Management IPv6 Address:        2620:10a:6000:2500::19a/64
Management IPv6 Gateway Address:2620:10a:6000:2500::1
Restrict Support and remote console access to MGMT port:   false

Current LAN2 Network Settings:

LAN2 Port enabled:                      true
NIC failover for LAN1 and LAN2 enabled: false
LAN2 IPv4 Address:                      10.34.71.188
LAN2 Netmask:                           255.255.255.0
LAN2 Gateway:                           10.34.71.1
LAN2 VLAN Tag:                          Untagged
LAN2 IPv6 Address:                      2620:10a:6000:22a3::bc/64
LAN2 IPv6 Gateway:                      2620:10a:6000:22a3::1
LAN2 IPv6 VLAN Tag:                     Untagged

To view VLANs for each port, you can use the show interface command. It displays the VLAN ID, tagged networks, and additional IP addresses that are configured for the network.

Infoblox > show interface
LAN1:

IP Address:  10.35.1.154       MAC Address: F4:87:71:00:07:05
Mask:        255.255.0.0       Broadcast: 10.35.255.255
MTU:         1500              Metric: 1
IPv6 Address:        2620:10a:6000:2400::19a/64
IPv6 Link:           fe80::f687:71ff:fe00:705/64
IPv6 Status:         Enabled
Negotiation: unknown
Speed:       1000M             Duplex: Full
Status:      UP BROADCAST RUNNING MULTICAST
SFP Type:    Fiber SX
SFP Model:   Finisar(FTLF8519P2BCL)

Statistics   Information

 Received

packets:  4715756 bytes:   287346518 (274.0 MiB)
errors:   0       dropped: 549
overruns: 0       frame:   0

Transmitted

packets:  21677   bytes:   15193301 (14.4 MiB)
errors:   0       dropped: 0
overruns: 0       carrier: 0

Collisions:  0       Txqueuelen: 1000

It displays the VLAN details as follows:

LAN1 (VLAN Tag: 273):

IP Address: 10.34.80.188 MAC Address: F4:87:71:00:07:05
Mask: 255.255.255.0 Broadcast: 10.34.80.255
MTU: 1500 Metric: 1
IPv6 Address: 2620:10a:6000:22ac::bc/64
IPv6 Link: fe80::f687:71ff:fe00:705/64
IPv6 Status: Enabled
Negotiation: unknown
Speed: 1000M Duplex: Full
Status: UP BROADCAST RUNNING MULTICAST

Statistics Information

  Received

packets:  2964       bytes: 159373 (155.6 KiB)
errors:   0          dropped: 0
overruns: 0          frame: 0

  Transmitted

packets:  2272       bytes:   111809 (109.1 KiB)
errors:   0          dropped: 0
overruns: 0          carrier: 0

Collisions: 0    Txqueuelen: 0

Enter <return> for next page or q<return> to cancel the command.

You can use the set default_route command to specify an optional VLAN address and make it the default route. For more informationsee the NIOS Documentation at docs.infoblox.comCLI section.