Configuring NIOS as a DoH or DoT server
- Shirly Tsang
Analytics
As of NIOS 8.5.2, there is support for DNS over HTTPS and DNS over TLS.
Note: DNS over HTTPS and DNS over TLS are not supported on Grid Master or Grid Master Candidate. Please view the link below in the System Requirements link for supported appliance platforms.
Licensing and Certificate Requirements
DNS over TLS and DNS over HTTPS require the vDCA (virtual DNS Cache Acceleration) or vADP (virtual Advanced DNS Protection) service to be licensed and enabled. If the vDCA and/or the vADP services are not enabled, the DNS over TLS and DNS over HTTPS features will not work even if they are enabled.
The DNS over TLS or the DNS over HTTPS service uses the same self-signed certificate that NIOS generates for HTTPS communication when it first starts.
Infoblox recommends that you generate a certificate signing request (CSR) and use it to obtain a signed certificate from your own trusted certificate authority (CA).
System Requirements
See the NIOS Administrator’s guide at the following link: Configuring DNS over TLS and DNS over HTTPS Services - Infoblox NIOS 8.5
To configure the DNS over HTTPS feature, complete the following steps:
Grid member: On the Data Management tab, click the DNS tab -> Members tab, select the member check box, and then click the Edit icon. Standalone system: On the Data Management tab, click the DNS tab, expand the Toolbar, and then click System DNS Properties.
In the Member DNS Properties editor/System DNS Properties editor, click Toggle Advanced Mode if the editor is in basic mode.
On the Queries tab, select the Enable DoH Service check box to enable the DNS over HTTPS feature.
In the Maximum Session Duration field, specify the maximum time in seconds a session can remain idle before it times out and closes. The default value is 10 seconds.
Save the configuration
As prompted, manually restart the member to enable the DNS over HTTPS feature.
To configure the DNS over TLS feature, complete the following steps:
Grid member: On the Data Management tab, click the DNS tab -> Members tab, select the member check box, and then click the Edit icon. Standalone system: On the Data Management tab, click the DNS tab, expand the Toolbar, and then click System DNS Properties. In the Member DNS Properties editor/System DNS Properties editor, click Toggle Advanced Mode if the editor is in basic mode.
On the Queries tab, select the Enable DoT Service check box to enable the DNS over TLS feature.
In the Maximum Session Duration field, specify the maximum time in seconds a session can remain idle before it times out and closes. The default value is 60 seconds.
Save the configuration.
As prompted, manually restart the member to enable the DNS over TLS feature.
CLI Commands
From an SSH session or console connection, you can view the status of the DNS over HTTPS or DNS over TLS service, configuration, and details of active sessions using the following commands:
show doh-status
Infoblox > show doh-status
DoH is enabled
DoH trace is off
DoH key logging is off
Max server sockets: 128
curr server sockets: 2
Max client sockets: 200128
curr client sockets: 0
show doh-config
Infoblox > show doh-config
DoH listen on v4 addresses:
10.39.51.58
DoH listen on v6 addresses:
2620:10a:6000:2745::1011
DoH listen on port: 443
show doh-stats
Infoblox > show doh-stats
IP 10.39.51.58
rx_queries: 0
tx_queries: 0
dropped_packets: 0
max_qry_overflow_sess_drop: 0
opened_sessions: 11
closed_sessions: 11
curr_sessions: 0
IP 2620:010a:6000:2745::1011
rx_queries: 0
tx_queries: 0
dropped_packets: 0
max_qry_overflow_sess_drop: 0
opened_sessions: 0
closed_sessions: 0
curr_sessions: 0
show dns-over-tls-status
Infoblox > show dns-over-tls-status
DoT is enabled
DoT trace is off
DoT key logging is off
show dns-over-tls-config
Infoblox > show dns-over-tls-config
DoT listen on v4 addresses:
10.39.51.58
DoT listen on v6 addresses:
2620:10a:6000:2745::1011
DoT listen on port: 853
show dns-over-tls-stats
Infoblox > show dns-over-tls-stats
IP 10.39.51.58 (TLS):
rx_packets: 0
tx_packets: 0
dropped_packets: 0
max_qry_overflow_sess_drop: 0
opened_sessions: 0
closed_sessions: 0
curr_sessions: 0
IP 2620:010a:6000:2745::1011 (TLS):
rx_packets: 0
tx_packets: 0
dropped_packets: 0
max_qry_overflow_sess_drop: 0
opened_sessions: 0
closed_sessions: 0
curr_sessions: 0
Modifying ADP rules
ADP blocks SVCB and HTTPS DNS records by default. These DNS message types can be used to discover DoH resolvers not operated by your organization. They can also be used to bypass protections from Response Policy Zones(RPZ). For most Enterprise organizations, we recommend you continue to block these rule types until the standards they are based on are completed and additional protections can be implemented. If you decide to pass these messages instead, you will need to modify 4 rules in the Threat Protection Ruleset as described below.
Navigate to Data Management → Security → Threat Protection Rules.
Scroll down the list to DNS Message Types and click on the arrow to expand the list. Click on the ‘Rule Name’ column to either sort in descending or ascending order.
Scroll down the list to view the following filters:
DNS HTTPS record - Rule ID 130502880
DNS HTTPS record TCP - Rule ID 130506000
DNS SVCB record - Rule ID 130502870
DNS SVCB record TCP - Rule ID 130505900
Note: You may need to toggle the ‘Rule Name’ column in order to view the rules and perform the steps above.
Click on the corresponding hamburger icon and select ‘Edit’.
Click on the ‘Settings’ button and then click on the ‘Action’ drop-down menu and select ‘Pass’. Click on ‘Save & Close’.
Repeat steps 3-5 above for the remaining records mentioned in step 3.
Generating Certificate Signing Requests
The DNS over TLS or the DNS over HTTPS service uses the same self-signed certificate that NIOS generates for HTTPS communication when it first starts. You can also generate a certificate signing request (CSR) and use it to obtain a signed certificate from your own trusted certificate authority (CA).
Navigate to Grid → Grid Manager → Members.
Click on a member. Navigate to Toolbar → Certificates → HTTPS Certificate → Create Signing Request.
Fill out the dialog box. Click OK.
