To access the BloxOne Cloud DNS service, you must forward your DNS traffic (except for internal domain resolution) to the BloxOne Cloud name server. In essence, a DNS forwarder is a name server to which all other name servers first send queries that they cannot resolve locally. The forwarder then sends these queries to DNS servers external to the network, and this saves the other name servers in your network from having to send queries off site. A forwarder eventually builds up a cache of information and uses it to resolve queries. This reduces Internet traffic over the network and decreases the time taken to respond to DNS clients.
Depending on your network configuration, you can forward DNS traffic while configuring the following network scopes for protection:
DFP (DNS Forwarding Proxy (either standalone or running on NIOS)
The manner in which you configure your DNS forwarders to use the BloxOne Threat Defense name server depends on your network configuration:
If you have an on-prem Infoblox Grid, configure your Grid members (which act as DNS forwarders) to use the BloxOne Threat Defense name server.
If you are using Unbound, BIND, or any other third-party DNS server as your DNS resolver, then, in your DNS configuration file, configure your DNS forwarders to use the BloxOne Threat Defense name server IP.
You can also configure Microsoft servers to use DNS forwarders.
In corporate mode, BloxOne Endpoint supports transfer of metadata to BloxOne Cloud when queries are resolved by DFP.
If you are forwarding DNS traffic to the BloxOne Threat Defense name servers using the External Networks configuration, without BloxOne Endpoint or DFP, you should provision the following DNS anycast addresses:
Global IPv4 DNS anycast addresses 52.119.41.100, 52.119.40.100, 103.80.6.100, and 103.80.5.100
Infoblox recommends using 52.119.41.100 and 103.80.6.100 addresses. The 52.119.41.100 and 103.80.6.100 addresses are provisioned under AWS Anycast, so a DNS client can connect to the nearest AWS entry location. Once a connection is established, the client is routed via AWS to the nearest PoP (Point of Presence). If the nearest PoP is not reachable, the client is forwarded to another PoP based on the rules described in the first bullet.
The 52.119.40.100 and 103.80.5.100 addresses are routed using Anycast only, and they use a different architecture so the traffic is routed via third-party networks to a PoP. The 52.119.40.100 and 103.80.5.100 are considered legacy.
IPv6 DNS anycast addresses 2400:4840::100 and 2620:129:6000::100
For best practices when configuring DNS forwarding, see the following topics:
Infoblox Geo-Based Anycast IPs for POPs
Infoblox-provided anycast addresses (listed above) will route your DNS traffic to the appropriate PoPs.
If you want to direct DNS traffic to a specific location, you can use the geo-based anycast IPs listed in the following table.
Infoblox Geo-based Anycast IPs for POPs | |||
|---|---|---|---|
Location | IPv4 Address | Secondary IPv4 Address | Server |
California (USA) | 52.119.41.51 | 103.80.6.51 | us-west-1-geo.threatdefense.infoblox.com |
Virginia (USA) | 52.119.41.52 | 103.80.6.52 | us-east-1-geo.threatdefense.infoblox.com |
London (England) | 52.119.41.53 | 103.80.6.53 | eu-west-2-geo.threatdefense.infoblox.com |
Frankfurt (Germany) | 52.119.41.54 | 103.80.6.54 | eu-central-1-geo.threatdefense.infoblox.com |
Mumbai (India) | 52.119.41.55 | 103.80.6.55 | ap-south-1-geo.threatdefense.infoblox.com |
Tokyo (Japan) | 52.119.41.56 | 103.80.6.56 | ap-northeast-1-geo.threatdefense.infoblox.com |
Singapore | 52.119.41.57 | 103.80.6.57 | ap-southeast-1-geo.threatdefense.infoblox.com |
Toronto (Canada) | 52.119.41.58 | 103.80.6.58 | ca-central-1-geo.threatdefense.infoblox.com |
Sydney (Australia) | 52.119.41.59 | 103.80.6.59 | ap-southeast-2-geo.threatdefense.infoblox.com |
San Paulo (Brazil) | 52.119.41.60 | 103.80.6.60 | sa-east-1-geo.threatdefense.infoblox.com |
Bahrain (UAE) | 52.119.41.61 | 103.80.6.61 | me-south-1-geo.threatdefense.infoblox.com |
Johannesburg (South Africa) | 52.119.41.62 | 103.80.6.62 | af-south-1-geo.threatdefense.infoblox.com |
Ohio (USA) | 52.119.41.63 | 103.80.6.63 | us-east-2-geo.threatdefense.infoblox.com |
Warning
Before pointing your DNS to the BloxOne Threat Defense name server, ensure that your network and DNS server are properly configured to send DNS queries and receive responses. For more information, see Testing Network Configuration.
Local DNS Request Processing Optimization
To reduce the number of noise requests forwarded to the cloud and to avoid misconfiguration, DFP and BloxOne Endpoint will automatically forward all PTR requests for any private subnets (e.g. 10.0.0.0/8, 192.168.0.0/16, etc.) to local DNS servers. With this enhancement, you will not need to list such subnets in the internal domains or custom allow lists.
Note
DFP will forward all private requests to a local DNS server by default when a local DNS server is provisioned on the DFP.