The mission-critical DNS infrastructure can become a vulnerable component in your network when it is inadequately protected by traditional security solutions and consequently used as an attack surface. Compromised DNS services can result in catastrophic network and system failures. To fully protect your network in today's cyber security threat environment, Infoblox sets a new DNS security standard by offering scalable, enterprise-grade, and integrated protection for your DNS infrastructure.
While your external (internet-facing) DNS server can be subject to cyber attacks such as DNS DDoS (Distributed Denial of Service) and others, threats can also come from the inside of your firewalls. Today's targeted attacks pose risk to both data and infrastructure inside an enterprise. You could have an endpoint infected with malware or threats trying to communicate with C&C (Command-and-Control) servers that use DNS as a protocol. You could also have a malicious insider trying to steal valuable digital assets by opening a DNS tunnel or embedding data in DNS queries.
Depending on how you want to protect your mission-critical DNS infrastructure, you can configure your Infoblox appliance to mitigate against external, internal, or both (external and internal) DNS threats.
This section contains information about the Infoblox infrastructure security features that protect external DNS from cyber DNS attacks and internal DNS from infrastructure attacks, data exfiltration, and APTs (Advanced Persistent Threats) and malware.

• Infoblox Advanced DNS Protection

The Infoblox Advanced DNS Protection solution employs hardware-accelerated security rules to detect, report upon, and stop attacks such as DDoS , DNS reflection, DNS amplification, DNS hijacking, and other network attacks targeting DNS authoritative applications. This security solution helps minimize "false positives" and ensures that your mission-critical DNS services continue to function even when under attack. For more information, see Infoblox Advanced DNS Protection.

• Infoblox DNS Firewall

Infoblox DNS Firewall uses DNS RPZs (Response Policy Zones) for allowing reputable sources to dynamically communicate reputation domain names so you can implement policy controls for DNS lookups. For more information, see Infoblox DNS Firewall.

• Infoblox Threat Insight

The Infoblox Threat Insight solution defenses against data exfiltration through DNS tunneling for ultimate network protection. For more information, see Infoblox Threat Insight.

• Security Ecosystem

The Infoblox security ecosystem comprises FireEye integrated RPZs for detecting malware and APTs and the TAXII (Trusted Automated eXchange of Indicator Information) service for mitigating cyber attacks. For more information, see Infoblox DNS Firewall.
For best practices in securing your networks, you can also set up DNS blacklists or configure a security banner. When you enable DNS Integrity Check for top-level authoritative zones, the appliance verifies DNS data in the NS RRsets and glue records, and reports any data discrepancies so you can mitigate possible DNS domain hijacking.
Following are other DNS security features for your network security:

• Access Control (Named ACLs)

To effectively manage your core network services, you can grant legitimate hosts access to specific operations on the appliance using an ACL (access control list) or anonymous ACEs (access control entries). You can also configure a named ACL and apply it to multiple operations, such as file distribution and DNS zone transfers. For more information, see Configuring Access Control.

• DNS blacklists

Your organization can prevent customers or employees from accessing certain Internet resources, particularly web sites, by prohibiting a recursive DNS member from resolving queries for domain names that you specify. You can configure a recursive DNS member to redirect the DNS client to predefined IP addresses or return a REFUSED response code (indicating that resolution is not performed because of local policy), depending on the domain name. For more information, see About Blacklists.

• Security Banner

You can configure and publish a notice and consent banner as the first login screen that includes specific terms and conditions you want end users to accept before they log in to the Infoblox Grid. When you enable the notice and consent banner, users must accept the terms and conditions displayed on the consent screen before accessing the login screen of Grid Manager. For more information, see Configuring Notice and Consent Banner.

• DNS Integrity Check

DNS domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant. In some cases, hijackers change the DNS data of a domain after gaining control of it. They consequently redirect users to a fraudulent site, instead of the legitimate site, on the Internet. To protect your authoritative DNS servers against this type of domain hijacking, you can configure the appliance to monitor NS records and glue records for top-level authoritative zones. Based on your configuration, the appliance periodically checks the DNS data for the zones and compares the data with that in the appliance database. The severity in data discrepancies can help identify possible domain hijacking. For more information about this feature, see About DNS Integrity Check for Authoritative Zones.

Chapter 41 Infoblox Advanced DNS Protection

This chapter describes the Infoblox Advanced DNS Protection solution and its features. It explains how to enable and disable the threat protection service, define threat protection rule settings, and manage threat protection rules so you can protect your internet-facing authoritative servers.
It contains the following sections:

• About Infoblox Advanced DNS Protection
  • Configuring Infoblox Advanced DNS Protection
  • Supported Threat Protection Appliances and Licensing Requirements
  • Administrative Permissions
  • Starting and Stopping Threat Protection Service
  • Enabling and Disabling Monitoring Mode
• Understanding Threat Protection Rulesets and Rules
  • About Ruleset Versions and Updates
  • System and Auto Rules
  • Custom Rules
  • Creating Custom Rules
• Configuring Grid Security Properties
  • Enabling Multiple DNS Requests through a Single TCP Session
  • Configuring NAT Mapping Properties
• Managing Threat Protection Rulesets
  • Viewing Threat Protection Rulesets
  • Activating a Ruleset
  • Overriding the Grid Ruleset
  • Modifying Rulesets
  • Comparing and Merging Rulesets
  • Manually Uploading Rulesets
  • Publishing Rule Updates
• Configuring Threat Protection Profiles
  • Adding Threat Protection Profiles
  • Cloning Threat Protection Profiles
  • Modifying Threat Protection Profiles
  • Merging Threat Protection Profiles 
  • Inheriting Grid Rule Settings
  • Deleting Threat Protection Profiles
  • Viewing Threat Protection Profiles

• Managing Threat Protection Rules
  • Viewing Threat Protection Rules
  • Enabling and Disabling Rules
  • Modifying System and Auto Rules
  • Publishing Rule Updates
  • Modifying System and Auto Rules
  • Modifying Custom Rules
  • Monitoring Threat Protection Events
• Monitoring Threat Protection Events
  • Monitoring through Syslog
  • Threat Protection Statistics Widget
  • Threat Protection Reports
• DNS and Network-Flood Threats
  • Internet Control Message Protocol (ICMP) Flood
  • SYN Flood
  • UDP DNS Flood
  • Inside-Out Attacks
  • DNS Fluxing
  • DNS Cache Poisoning
  • DNS Reflection and Amplification Attacks
  • DNS Malware
  • DNS Domain Hijacking

About Infoblox Advanced DNS Protection

The Infoblox Advanced DNS Protection solution employs threat protection rules to detect, report upon, and stop DoS (Denial of Service), DDoS (Distributed Denial of Service) and other network attacks targeting DNS authoritative applications. Infoblox Advanced DNS Protection helps minimize "false positives" and ensures that your mission-critical DNS services continue to function even when under attack. For information about possible DNS threats, see DNS and Network-Flood Threats.
You can deploy the Advanced DNS Protection solution on hardware-accelerated appliances (physical appliances only) as well as software-based appliances (both physical and virtual) in the Grid. Depending on the appliances you deploy, you must install applicable hardware-based licenses or Software ADP subscription licenses. For information about supported Infoblox appliances for Advanced DNS Protection and the applicable licenses, see Supported Threat Protection Appliances and Licensing Requirements.
Infoblox Advanced DNS Protection is designed to provide visibility and protection against network floods and DNS attacks. It detects DNS attacks through predefined and custom threat protection rules, and mitigates DNS threats by dropping problematic packets while responding only to legitimate traffic. With valid licenses installed, you can subscribe to automatic rule updates that deliver near real-time protection against new and emerging attacks. You may also manually perform the rule update process based on your configuration. For information about threat protection rules, see Understanding Threat Protection Rulesets and Rules.
Infoblox Advanced DNS Protection supports a set of predefined threat protection rules that detect and mitigate possible DNS threats. You can modify some of the parameters and assign actions such as logging events and applying mitigation to these rules. You can also create custom rules to suit your security needs. For more information, see Understanding Threat Protection Rulesets and Rules.
As illustrated in Figure 43.1, the threat protection appliance, acting as an authoritative DNS server, is added to the Grid. After installing valid threat protection licenses and configuring the appliance to serve as an Advance Appliance, it can now detect DNS threats and mitigate DNS threats based on threat protection rules. All threat protection related events, conformed to CEF (Common Event Format), are logged in the syslog on the Grid Master. To perform further investigation about possible threats, the reporting server generates specific threat protection related reports. For information about how to monitor threat protection related events and reports, see Monitoring Threat Protection Events.
Figure 41.1 Infoblox Advanced DNS Protection Solution

Limitations for Threat Protection Appliances

Hardware-based appliances support all existing DNS features (including HA support) that are applicable to DNS caching and authoritative applications, except the following:

• Configuration of multiple interfaces on the same subnet
• 10/100-Mbps gigabit Ethernet mode and fixed speed/duplex settings
• DSCP support on the Infoblox-4030 Rev-2 appliance. For information about other limitations on the Infoblox-4030 appliances, refer to the Infoblox DNS Cache Acceleration Application Guide.

Note: Even though you can configure static routes on the Infoblox-4030 Rev-2 appliance when DNS cache acceleration is enabled, cached DNS responses are always sent through the interface on which the queries arrive, not the interface that is configured for the static route.

Consider the following when the threat protection service is enabled on the Advance Appliances:

For Hardware ADP

• Protected interfaces (LAN1 and LAN2) are limited to DNS traffic, protocols in support of DNS anycast (BGP and OSPF) and the standard IP protocols such as ICMP, as well as connections to NTP servers.
• The MGMT interface is used for other traffic, such as Grid, SSH, SNMP, NTP, and it will not be protected against DDoS attacks.
• You cannot run other services, such as FTP, TFTP, and HTTP, on the Advance Appliances.
• The appliance terminates TCP connections for incoming DNS requests after handling the initial request through each TCP connection. The exception for this default Grid setting is for an SOA query sent by a client that is accepted in the allow-transfer ACL. In the case of an SOA query, the TCP connection remains open for subsequent DNS requests. This exception also covers the case in which an AXFR query follows the SOA query through the same TCP connection. For more information about how to override this default Grid setting, see Enabling Multiple DNS Requests through a Single TCP Session.

For Software ADP

• When you use IB-FLEX for Software ADP, it supports a standalone or a Grid member with threat protection enabled, but it does not support a Grid Master with threat protection enabled. For more information about the IB-FLEX virtual appliance model, see About IB-FLEX.
• IB-FLEX applies threat protection rules to all traffic on LAN1, LAN2 and HA interfaces, but bypasses the traffic on the MGMT interface.
• The threat protection profiles used for Software ADP members do not support ADP NAT settings. For more information, see Configuring Threat Protection Profiles. However, you can configure them for hardware-based threat protection members in the Member Security properties editor. For more information, see Configuring Grid Security Properties.