Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 35 Next »

Depending on your network requirements, you can forward your DNS traffic while configuring external networks. By designating a DNS server as a forwarder, that server is responsible for all external DNS resolution and can build up a cache of external addresses, thus reducing the need to query recursive resolvers and cutting down DNS traffic.

When you set up external networks for DNS protection, you can use Infoblox-provided anycast IP addresses to configure DNS forwarding for the following. 

  • NIOS forwarders

  • Third-party DNS servers

For additional information, see the following topics on this page.

Allowing Redirect IP Addresses

Note

When redirect rules are configured, redirect IP addresses must be allowed to ensure connectivity to redirect servers. See the end client/redirect IP information here.   


The following table lists the protocol/port required and the list of specific IP addresses that must be allowed in the firewall to ensure the proper functioning of redirect rules.  

Protocol/Port

Destination IPs

Description

TCP 443 or 80

Redirect IPs:

For IPv4:

    3.215.231.251

    3.216.243.225

    35.168.95.233

    54.173.31.46

    3.220.140.235

For IPv6:

2600:1f18:1043:dc00:8083:68e:ef0f:46de

2600:1f18:1043:dc02:ed26:448b:247:90c9

2600:1f18:1043:dc00:a339:63ac:4c02:9531

2600:1f18:1043:dc00:5ee5:908d:8892:f214

2600:1f18:1043:dc02:be4:9bb:7833:d9d4

A client/end user should be connecting to the redirect server.

Firewall Port Usage for DNS Forwarding Servers

The following table lists the firewall port that you should open on your DNS forwarding servers. DNS forwarding might not function properly if you do not follow the port usage guidelines.

Protocol/Port

Usage

Description

UDP/TCP 53

Access to the configured forwarders

You must open UDP/TCP port 53 to allow access from the forwarding server to the configured forwarders.

DNS Forwarding Using Anycast Addresses

When configuring external networks, Infoblox recommends that you add the following four anycast IPs (provided by BloxOne) to your DNS server for DNS forwarding.

  • 52.119.41.100

  • 52.119.40.100

  • 103.80.6.100

  • 103.80.5.100

The 52.119.41.100 and 103.80.6.100 addresses are provisioned under AWS Anycast, so a DNS client can connect to the nearest AWS entry location. Once a connection is established, the client is routed via AWS to the nearest PoP (Point of Presence). If the nearest PoP is not reachable, the client is forwarded to another PoP based on the rules described in the first bullet.

The 52.119.40.100 and 103.80.5.100 addresses are routed using Anycast only, and they use a different architecture so the traffic is routed via third-party networks to a PoP. 

For information, see Forwarding DNS Traffic to BloxOne Cloud

DNS Forwarding on NIOS

In you NIOS Grid, you can add the Infoblox-provided anycast IPs as DNS forwarders to direct your DNS traffic.

For detailed information on how to configure forwarders on NIOS, see Using Forwarders.

DNS Forwarding on Third-Party DNS Servers

In addition to using the Infoblox-provided anycast addresses, you can also use the following methods to forward DNS traffic. Limitations using this method of configuration for third-party DNS servers include there being no end client visibility if the third-party DNS server does not have the EDNS option enabled. 

Unbound DNS Resolvers

If you use Unbound as the DNS resolver, you can make some modifications in your DNS configuration file to configure your DNS forwarders to use the BloxOne Cloud name server IP.Use the following example as a reference when modifying your DNS configuration file:

forward-zone:
        name: "."
        forward-addr: 52.119.40.100
        forward-addr: 52.119.41.100


BIND DNS Resolvers

If you use BIND as the DNS resolver, you can make some modifications in your DNS configuration file to configure your DNS forwarders to use the BloxOne Cloud name server IP.

Use the following example as a reference when modifying your DNS configuration file:

options {
        forward only;
        forwarders {52.119.40.100;52.119.41.100;};
        }

Microsoft DNS Resolvers

If you use Microsoft servers as the DNS resolvers, you can configure the Microsoft forwarder to use the BloxOne Cloud name server IP through the Windows interface.

To configure a Microsoft DNS forwarder:

  1. On your Microsoft Windows server, open DNS Manager.

  2. In the console tree, click the applicable DNS server from DNS/Applicable DNS server.

  3. On the Action menu, click Properties.

  4. On the Forwarders tab, click Edit.

    ImageA window from the "DNS Manager", which is a tool typically used to configure and manage DNS services on a network.

   5. Enter the IP address of one or more forwarders, and then click OK. For BloxOne Threat Defense global IPv4 DNS Anycast addresses see Forwarding DNS Traffic to BloxOne Cloud.

For more information about configuring a Microsoft DNS server to use forwarders, refer tohttps://technet.microsoft.com/en-us/library/cc754941(v=ws.11).aspx.

Microsoft Azure Vnet

For workloads running in Microsoft Azure, you can configure an Azure Virtual Network (VNet) to use BloxOne Cloud as a custom DNS server.

To apply security policies and protect DNS traffic from your VNet, you must register one or more source IPs in BloxOne, as an external network. For details, see Configuring External Networks.

To ensure that the source address is consistent, the configuration example on this page relies on a VNet using a NAT Gateway. For information on configuring a VNet with a NAT Gateway, see Microsoft’s Virtual Network NAT documentation.

To configure custom DNS servers for a VNet:

  1. In the Azure Portal, navigate to the applicable VNet.

  2. On the VNet page, select DNS servers from the menu.

    Image:  The Microsoft Azure portal interface showing the DNS servers configuration for a virtual network named "central-vnet".

  3. Select the radio button for Custom.

  4. Enter the IP address of one or more forwarders, and then click OK. For BloxOne Threat Defense global IPv4 DNS Anycast addresses, seeForwarding DNS Traffic to BloxOne Cloud.

  5. Save this configuration.

    To find the public IP of a NAT Gateway that you would like to register as an external network, perform the following

  6. In the Azure Portal, navigate to the applicable NAT Gateway.

  7. On the NAT Gateway page, select Outbound IP from the menu.

    Image:  The Microsoft Azure portal, specifically focusing on the "Outbound IP" configuration for an entity named "central-natgw", which is a NAT (Network Address Translation) gateway.

  8. Copy and save the IP addresses shown.

AWS Route 53

Creating a Route 53 Outbound Endpoint

In order to forward DNS traffic from an AWS VPC, you must create an Outbound Endpoint. An outbound endpoint is an AWS feature that allows DNS traffic from a VPC to be forwarded to an IP or Domain. To create an Outbound Endpoint, perform the following steps:

  1. Log in to your AWS Once logged in, input Route53 into the search bar located at the top of the AWS interface.


    Image: The AWS Management Console.

  2. Click on Route 53 in the list of side menu options. 

    The Route 33 side menu option.


    Image: The Route 33 side menu option.

  3. In the Route 53 navigation pane, click Outbound endpoints located under the Resolver.
    The Route 33 menu.
    Image:  The Route 33 menu.

  4. On the Outbound endpoints page, click Create outbound endpoint.

    Image: Clicking Create outbound endpoint.

  5. On the Createoutboundendpoint page, input the following data:

    1. Give the Outbound Endpoint a Name.

      Image: Naming the outbound endpoint. 

    2. Select the VPC you would like to associate with the Outbound Endpoint from among the drop-down options.

      Selecting the VPC.

      Image: Selecting the VPC.

    3. Select the Security group you would like to associate with this Outbound Endpoint from among the drop-down options.

      Selecting a securty group.

      Image: Selecting a securty group.

    4. Select IPv4 as the Endpoint Type from among the drop-down options.

      Image: Selecting IPv4 as the endpoint type. 

    5. Under the IP address #1 header, select the Availability Zone you would like to use for this Outbound Endpoint. Note that this is the IP clients will send DNS requests to, any additional IP addresses entered will act as redundant to the first one to improve availability.

      Image: Selecting an availablitly zone for IP address #1.

    6. Select the private subnet associated with the Availability zone.
      Selecting a private subnet
      Image: Selecting a private subnet. 

    7. Choose an IP address for the Outbound Endpoint. You may choose to allow AWS to choose one automatically, or input one manually.
      Selecting an IP address for the outbound endpoint.
      Image: Selecting an IP address for the outbound endpoint.

    8. Under the IP address #2 header, select the Availability Zone you would like to use for this Outbound Endpoint. Note that this is the IP clients where DNS requests are sent.

      Image: Selecting an availablitly zone for IP address #2.

    9. Select the private subnet associated with the availability zone. 

      Image: Selecting a private subnet associated with the availability zone.

    10. Choose an IP address for the outbound endpoint. You can choose to allow AWS to choose one automatically, or input one manually.

      Image: Selecting the automatically generated IP address for the outbound endpoint. 

    11. Optionally input an additional IP addresses via the Add another IP address button.

      Image: Adding an additional IP address. 

    12. Optionally, add Input Tags if desired. Followed by clicking Submit to finish the creation of the Outbound Endpoint.

      Image: Clicking the Submit button to add an input tag. 

    13. If the creation of the Outbound Endpoint was successful, you will now see the newly created outbound endpoint on the Outbound endpoints page.

      Image: Confirmation of the successful creation of a new outbound endpoint. 

This completes the creating a Route 53 Route 53 Outbound Endpoint process.

For additional information, see The Deployment Guide Integrating BloxOne™ Threat Defense with AWS' Route 53.

Creating a Route 53 Resolver Rule

In order to forward traffic to BloxOne Threat Defense you must configure a resolver rule which allows Route 53 to forward traffic to IP addresses defined within. To create a Resolver rule, perform the following steps:

  1. In the Route 53 navigation panel, click Rules located under the Resolver header.

    Locating Rules in the side navigation.


    Image: Locating Rules in the side navigation. 

  2. On the Rules page, click Create rule.

    Click Create rule on the Rules page to commence the rule creation process.


    Image: Click Create rule on the Rules page to commence the rule creation process. 

  3. Configure the new rule:

    1. Give the rule a Name.


      Image: Addng a name in the rule's  Name field.

    2. Set the Rule type as Forward.


      Image: Adding "Forward" in the Rule type text field

    3. In the Domain name text field input the character ( '.' ) without quotations.

      Image: Inputting "." without the quotes in the Domain name text field.

    4. Select any VPC(s) that you would like this rule to apply to via the dropdown menu located under the VPCs that use this rule header.

      Applying a rule to a selected VPC or VPCs.

      Image: Applying a rule to a selected VPC or VPCs. 

    5. Select the outbound endpoint that was created earlier via the drop-down menu.


      Image: Selecting the output endpoint from among the drop-down menu options. 

    6. In the First Target IP address text field, input the address 52.119.40.100. Additionally, input 53 in the Port text field.


      Image: Adding the first target IP address. 

    7. Click Add target to input another IP address.

      Image: Adding the tardet IP address. 

    8. In the second Target IP addresses field input the IP 103.80.5.100. Additionally, add input 53 in the Port text field.

      Adding a second target IP address.

      Image: Adding a second target IP address.

    9. Click Submit to confirm the creation of the rule.

      Clicking the Submit buton to create the new rule.


      Image: Clicking the Submit buton to create the new rule.

    10. If the creation of the rule was successful, you will now see the new rule in the list of rules.

      Verifying the successful addition of the rule to the rule list.

      Image: Verifying the successful addition of the rule to the rule list.


This completes the creating a Route 53 Resolver Rule process. 

For additional information, see The Deployment Guide Integrating BloxOne™ Threat Defense with AWS' Route 53.



  • No labels