Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

A forwarder is a name server to which all other name servers first send queries that they cannot resolve locally. The forwarder then sends these queries to DNS servers that are external to the network, avoiding the need for the other name servers in your network to send queries off-site. A forwarder eventually builds up a cache of information, which it uses to resolve queries. This reduces Internet traffic over the network and decreases the response time to DNS clients. This is useful in organizations that need to minimize off-site traffic, such as a remote office with a slow connection to a company's network.

You can select any Grid member to function as a forwarder. You must configure your firewall to allow that Grid member to communicate with external DNS servers. You can also configure NIOS to send queries to one or more forwarders. You can define a list of forwarders for the entire Grid, for each Grid member, or for each DNS view.

If your network configuration includes Infoblox BloxOne Threat Defense, you can configure NIOS Grid members (physical or virtual appliance) to forward recursive queries to BloxOne Threat Defense. For more information about BloxOne Threat Defense, see BloxOne Threat Defense. For information about how to configure NIOS members as DNS forwarding proxies, see the Forwarding Recursive Queries to BloxOne Threat Defense section below.

Selecting Forwarders

When there is more than one forwarder in the Grid, the NIOS resolver uses a smoothed metric derived from RTT (Round Trip Time) to select the name server to send queries to. RTT is the length of time between when a query was sent and when its  response was received.

Specifying Forwarders

To configure forwarders for a Grid, member, or DNS view, complete the following:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab -> Members tab -> member checkbox -> Edit icon.
    DNS View: From the Data Management tab, select the DNS tab -> Zones tab -> dns_view checkbox -> Edit icon. Note that if there is only one DNS view— for example, the predefined default view—you can just click the Edit icon beside it.
    To override an inherited property, select Override next to it and complete the appropriate fields.

  2. Click the Forwarders tab.

  3. Click the Add icon.

  4. Enter an IP address in the text field. The field supports entry for both IPv4 and IPv6 values.

    1. To remove a forwarder, select the IP address from the Forwarders list, and then click the Delete icon.

    2. To move a forwarder up or down on the list, select it and click the Up or Down arrow.

  5. To use only forwarders on your network (and not root servers), select the Use Forwarders Only checkbox.
    Note that:

    • If Use forwarders Only option is enabled, UDP/TCP port 53 should be opened between the NIOS and the configured forwarders.

    • If Use Forwarders Only option is not enabled, UDP/TCP 53 should be opened from NIOS to the configured forwarders and from NIOS to the Internet. This is because to resolve the query, the NIOS server will have to contact the root servers first, then the top-level domain DNS servers and then the authoritative servers. Authoritative servers can be anywhere on the Internet depending on the domain queried.

  6. Select the Add client IP, MAC addresses, and DNS View name to outgoing recursive queries checkbox to include the client IP address, MAC address, and DNS view name of the client from which the DNS query was initiated, to outgoing recursive queries. For information on recursive queries, see Enabling Recursive Queries. Selecting this option includes EDNS0 custom options.

  7. Select the Copy client IP, MAC addresses, and DNS View name to outgoing recursive queries checkbox to copy and validate the client IP address, MAC address, DNS view name from incoming queries to outgoing queries. If this checkbox is selected and:

    • Only one custom option is present, the IP address or MAC address or DNS view name is copied to the outgoing query without adding the missing option. An incoming query can contain only one IP address or MAC address or DNS view name.

    • No custom option is present, if the Add client IP, MAC addresses, and DNS View name to outgoing recursive queries checkbox is selected, valid IP address, MAC address, and DNS view name EDNS0 options are copied from incoming queries to outgoing recursive queries without any change. If the Add client IP, MAC addresses, and DNS View name to outgoing recursive queries checkbox is not selected, no options are added to outgoing recursive queries.      
      For more information about EDNS0 options, see Configuring DNS Traffic Control Properties and Using Extension Mechanisms for DNS (EDNS0)

  8. Save the configuration and click Restart if it appears at the top of the screen.

Note

Infoblox recommends that you do not include client IP addresses and MAC addresses in queries directed to non-Infoblox DNS servers and that you include the addresses in only those queries directed at Infoblox DNS servers.

Forwarder Limitations

  • Forwarding zones (also known as conditional forwarders) do not support the Add client IP, MAC addresses, and DNS View name to outgoing recursive queries and the Copy client IP, MAC addresses, and DNS View name to outgoing recursive queries checkboxes.

  • When DNS forwarding proxy is enabled, if DNS queries that should be resolved locally are getting forwarded to the cloud services portal, enable the following option in each authoritative zone to prevent the use of forwarders:

    1. Go to Data Management tab > DNS tab > Zones tab.

    2. Select an authoritative zone and click the Edit icon.

    3. On the Authoritative Zone editor > Settings tab, select Don't use forwarders to resolve queries in subzones.

Forwarding Recursive Queries to BloxOne Threat Defense

To forward recursive queries to BloxOne Threat Defense, you must first register each NIOS member in your Grid as a DNS forwarding proxy through the Cloud Services Portal. When you register a Grid member, the DNS forwarding proxy software is installed on the member. The DNS forwarding proxy embeds the client IP addresses in the DNS queries before forwarding them to BloxOne Threat Defense. The communications are encrypted and client visibility is maintained. Once you set up a DNS forwarding proxy on a Grid member, all recursive queries for that member are forwarded to a local DNS forwarding proxy by the NIOS DNS service. It also caches responses to speed up DNS resolution for future queries. For more information about configuring DNS forwarding proxies, see On-Prem Host Management.

Make sure that port 443 is open against its respective domain for DNS forwarding proxy to work between NIOS and BloxOne Threat Defense.

Guidelines When Enabling Recursive Query Forwarding on a Grid Member

Note the following when you enable recursive query forwarding on a Grid member:

  • Make sure that you enable recursion on the member that you wish to use as a forwarding proxy to BloxOne Threat Defense. For information about how to enable recursion on a Grid member, see Enabling Recursive Queries. 

  • DNS forwarding proxy does not work on systems configured in the IPv6-only mode.

  • DNS forwarding proxy is not supported on any appliance that is running on a memory lower than 4 GB.

  • Grid Manager ignores global forwarders and all recursive queries are send to BloxOne Threat Defense.

  • There might be a significant performance impact on your appliance and network during the DNS forwarding proxy installation process depending on the network connectivity between NIOS and BloxOne Threat Defense. Every node will have to install the DNS forwarding proxy before serving DNS recursive queries, which includes the HA nodes.

  • When you enable DNS forwarding to BloxOne Threat Defense, the QPS (query per second) throughout might vary, depending on your appliance models and the cache hit ratios. You might see a bigger performance impact when the cache hit ratio is lower.

  • DNS forwarding proxy does not work with DNSSEC in case a request was redirected by BloxOne Threat Defense. If you are running DNS forwarding proxy on NIOS, you must disable DNSSEC validation. Even if you disable DNSSEC validation, validation still takes place through BloxOne Threat Defense. To enable DNS forwarding proxy to work with DNSSEC in case a request was redirected by BloxOne Threat Defense, see Enabling DNS Forwarding Proxy to Work with DNSSEC below.

  • To bypass recursive query forwarding to BloxOne Threat Defense, you must disable the DNS forwarding proxy service.

  • By adding the join token you obtained from the Cloud Services Portal, and by specifying the IP address of the Cloud Services Portal in the CSP Resolver field, you can establish connectivity between NIOS and Cloud Services Portal. Thereafter, you can enable the NIOS Grid Connector service in the Cloud Services Portal. This capability provides you with a single interface for viewing comprehensive network data such as global IP space, subnets, IP addresses, and DHCP lease data for your BloxOne Cloud infrastructure and NIOS. For more information, see Configuring NIOS Grid Connector in the BloxOne Threat Defense documentation.

Enabling a Grid Member to Forward Recursive Queries to BloxOne Threat Defense

To enable a Grid member to forward recursive queries to BloxOne Threat Defense, complete the following:

  1. Log in to the Cloud Services Portal at csp.infoblox.com.

  2. Create a join token by following the instructions in the Configuring Join Tokens topic in the BloxOne Infrastructure documentation. In an HA environment, two on-prem hosts are created in the Cloud Services Portal.

  3. Log in to Grid Manager.

  4. From the Grid tab, select the Grid Manager tab -> Members tab -> member checkbox -> click the Edit icon.

  5. In the Grid Member Properties Editor, click the CSP Configuration tab, and then complete the following: To override an inherited property, click Override next to it and enter the value for the appropriate fields if you do not want to inherit the values from the Grid. Once you override, the settings are applicable only at the member level.

    1. Join Token: Displays the join token value that is inherited from the Grid. However, if the field is empty, the cloud connection is not to be terminated. If you specify a value, the Override label is displayed next to the field.

    2. Custom Resolver: Displays the IP address of the local DNS resolver. This IP address or DNS is used to resolve Infoblox domains when the DNS Forwarding Proxy service starts. You must configure at least one external resolver that will be used to resolve all required domains. If you do not enter an IP address, 52.119.40.100 is taken as the default. Click the checkbox to enter a value other than the one that is displayed. If you select the checkbox and then save your configuration, the next time when you return to the screen, the checkbox continues to be selected and the values are overridden by the member. If you specify a value, the Override label is displayed next to the field.

    3. HTTP Proxy: Displays the URL that is inherited from the Grid. Select the checkbox to enter a value other than one that is displayed. If you specify a value, the Override label is displayed next to the field.

    4. Test Overrides: This button is only enabled when HTTP proxy is updated at the member level. Click this button to test the value of the HTTP proxy that you entered. When you click the button, a success or a failed message is displayed along with the timestamp. You cannot save your configurations until the test overrides is a success. This button does not test the custom resolver and the join token override values.

    5. Clear Overrides: This is enabled only when a field is updated at the member level. Clicking this option clears such field values (that were updated at the member level), and inherits the values from the Grid. In this case, the Override label is not displayed and the Clear Overrides link will not appear.

    6. Standalone: Select this option when the member is standalone.

    7. HA: Select this option when the member is an HA member.

    8. Access Key: You cannot edit the value of this field; you can only clear it. However, clearing the access key value does not terminate the cloud connection. This field is displayed only in the Member Properties Editor. In case of a NIOS upgrade, the access keys are the same for both the active and passive nodes.

  6. Click Save & Close

  7. To configure DNS Forwarding Proxy (DFP) in the Services tab In the Cloud Services Portal> Create Service> select DNS Forwarding Proxy from the drop-down list. In the Create DNS Forwarding Proxy wizard enter the following and click Next and Finish:

    1. Name (required field): Provide a name for service instance.

    2. Description: Provide a description for the service instance.

    3. Service State: Set the toggle to start or stop the service.

    4. Host: Select the host from drop down list.

      • Note that only the available hosts are displayed in this list.

      • The DNS service restarts if the DNS Forwarding Proxy service is enabled on the NIOS member, resulting in a service interruption.

  8. In Member DFP Properties editor, select the Fallback to the default resolution process if BloxOne Threat Defense Cloud does not respond checkbox to forward recursive queries to the local root name servers in case BloxOne Threat Defense fails or if BloxOne Threat Defense fails to resolve recursive queries. For newly configured DNS forwarding proxies in NIOS, Infoblox recommends that you keep this option selected until you have verified that the NIOS proxies are functioning properly. In the Cloud Services Portal, go to Manage -> On-Prem Hosts to ensure that the statuses for the NIOS proxies that you have registered are active.

Note

  • If you have upgraded to NIOS 8.5.x with DNS forwarding proxy enabled on any node, Infoblox recommends that you do not remove the on-prem hosts from the Cloud Services Portal. This is because NIOS preserves the access key during the upgrade and the NIOS Grid member connects to the Cloud Services Portal using the same access key.

  • You must create a join token to authenticate a virtual DNS forwarding proxy for establishing a connection to the cloud. For more information refer to the Configuring Join Tokens topic in the BloxOne Infrastructure documentation.

  • If you have upgraded NIOS, the value of the Access Key field is the same as the API key that is displayed in the Cloud Services Portal.

  • For HA pair, two hosts are created in Cloud Services Portal that is used for configuring services.

  • When BloxOne Threat Defense cloud is available and DFP is healthy: DNS configuration files are automatically regenerated and recursive-queries are forwarded to BloxOne Threat Defense.

  •  When BloxOne Threat Defense cloud is available but DFP is unhealthy: DNS configuration files are automatically regenerated and forwarding to BloxOne Threat Defense is suspended until DFP returns to a healthy state.

Enabling DNS Forwarding Proxy to Work with DNSSEC

DNS forwarding proxy does not work with DNSSEC in case a request was redirected by BloxOne Threat Defense. To enable DNS forwarding proxy to work with DNSSEC, perform the following steps:

  1. Enable DNS Forwarding Proxy on NIOS by clicking Manage -> On-Prem Hosts in the Cloud Services Portal.

  2. On Grid Manager, Disable the Fall back to the default resolution process if BloxOne Threat Defense Cloud does not respond option. 

  3. Enable DNSSEC validation as described in Enabling DNSSEC Validation.

  4. Remove trust anchors if any. To configure trust anchors, see  Enabling DNSSEC Validation.

  • No labels