Best Practices for External Networks

Every organization has a unique network and set of requirements. This section outlines best practices for configuring external networks for DNS forwarding using Infoblox solutions. It represents how the product can be configured but not necessarily how it should be configured in your specific environment. To design and size a solution for a production environment, please contact your Infoblox Solution Architect.

Notes

When redirect rules are configured, redirect IP addresses must be allowed to ensure connectivity to redirect servers. For details, see the end client/redirect information in the NIOS-X Server Connectivity and Service Requirements documentation.
Always verify configuration settings before deploying changes in a production environment.

Overview

DNS Forwarders: Designating a DNS server as a forwarder centralizes external DNS resolution and can build up a cache of external addresses, reducing queries to recursive resolvers, and minimizes DNS traffic.
Infoblox Anycast IPs: Infoblox provides anycast IP addresses for configuring DNS forwarding.
Third-Party DNS Servers: Other DNS servers can also be configured for forwarding but may have limitations related to end-client visibility.

When redirect rules are configured, redirect IP addresses must be allowed to ensure connectivity to redirect servers. For details on allowing redirect IP addresses, see the end client/redirect information in the NIOS-X Server Connectivity and Service Requirements documentation.

Configuring External Networks for DNS Protection

Infoblox provides anycast IP addresses that can be used to configure DNS forwarding in the following scenarios:

NIOS Forwarders

Configure Infoblox-provided anycast IPs as DNS forwarders within a NIOS Grid.
For detailed configuration steps, see Using Forwarders.

Third-Party DNS Servers

Configure third-party DNS resolvers using Infoblox-provided anycast addresses.
Limitations: If the third-party DNS server does not support EDNS, end-client visibility may not be available.

DNS Forwarding Using Anycast Addresses

Configure DNS forwarding using anycast IP addresses to optimize resolution performance.
For more details, see the DNS Forwarding Proxy section within Port Usage for Infoblox Services in the NIOS-X Server Connectivity and Service Requirements documentation.

Firewall Port Usage for DNS Forwarding Servers

Ensure that required firewall ports are open for DNS forwarding.
For details on firewall port usage for DNS forwarding servers, refer to the DNS Forwarding Proxy section within Port Usage for Infoblox Services in the NIOS-X Server Connectivity and Service Requirements documentation.

DNS Forwarding Using Anycast Addresses

Configure DNS forwarding using anycast IP addresses to optimize resolution performance.
For details on using DNS forwarding using anycast addresses, refer to the DNS Forwarding Proxy section within Port Usage for Infoblox Serviceswithin the NIOS-X Server Connectivity and Service Requirements documentation.

DNS Forwarding on Third-Party DNS Servers

In addition to using the Infoblox-provided anycast addresses, you can also use the following methods to forward DNS traffic. Limitations using this method of configuration for third-party DNS servers include there being no end client visibility if the third-party DNS server does not have the EDNS option enabled.

Unbound DNS Resolvers

If you use Unbound as the DNS resolver, you can make some modifications in your DNS configuration file to configure your DNS forwarders to use the Infoblox-provided anycast IP addresses. Use the following example as a reference when modifying your DNS configuration file:

forward-zone:
        name: "."
        forward-addr: 52.119.41.100
        forward-addr: 103.80.6.100

BIND DNS Resolvers

If you use BIND as the DNS resolver, you can make some modifications in your DNS configuration file to configure your DNS forwarders to use the Infoblox-provided anycast IP addresses.

Use the following example as a reference when modifying your DNS configuration file:

options {
        forward only;
        forwarders {52.119.41.100 and 103.80.6.100;};
        }

Microsoft DNS Resolvers

If you use Microsoft servers as the DNS resolvers, you can configure the Microsoft forwarder to use the Infoblox Platform name server IP through the Windows interface.

To configure a Microsoft DNS forwarder:

Open DNS Manager on your Microsoft Windows server.
In the console tree, select the applicable DNS server.
On the Action menu, click Properties.
On the Forwarders tab, click Edit.
Enter the IP address of one or more forwarders, and then click OK.

Image: A window from the DNS Manager, which is a tool typically used to configure and manage DNS services on a network.

For details on forwarding DNS traffic to BloxOne Cloud, see Forwarding DNS Traffic to BloxOne Cloud.

For additional guidance on configuring a Microsoft DNS server to use forwarders, refer to Microsoft DNS Configuration.

Microsoft Azure Vnet

For workloads running in Microsoft Azure, you can configure an Azure Virtual Network (VNet) to use Infoblox Platform as a custom DNS server.

To apply security policies and protect DNS traffic from your VNet, you must register one or more source IPs in Infoblox, as an external network. For details, see Configuring External Networks.

To ensure that the source address is consistent, the configuration example on this page relies on a VNet using a NAT Gateway. For information on configuring a VNet with a NAT Gateway, see Microsoft’s Virtual Network NAT documentation.

To configure custom DNS servers for a VNet:

In the Azure Portal, navigate to the applicable VNet.
On the VNet page, select DNS servers from the menu.

Image: The Microsoft Azure portal interface showing the DNS servers configuration for a virtual network named central-vnet.
Select the radio button for Custom.
Enter the IP address of one or more forwarders, and then click OK. For Infoblox Threat Defense global IPv4 DNS Anycast addresses, seeForwarding DNS Traffic to BloxOne Cloud.
Save this configuration.

To find the public IP of a NAT Gateway that you would like to register as an external network, perform the following
In the Azure Portal, navigate to the applicable NAT Gateway.
On the NAT Gateway page, select Outbound IP from the menu.
Image: The Microsoft Azure portal, specifically focusing on the "Outbound IP" configuration for an entity named "central-natgw", which is a NAT (Network Address Translation) gateway.
Copy and save the IP addresses shown.

AWS Route 53

Creating a Route 53 Outbound Endpoint

In order to forward DNS trafﬁc from an AWS VPC, you must create an Outbound Endpoint. An outbound endpoint is an AWS feature that allows DNS trafﬁc from a VPC to be forwarded to an IP or Domain. To create an Outbound Endpoint, perform the following steps:

Log in to your AWS Once logged in, input Route53 into the search bar located at the top of the AWS interface.

Image: The AWS Management Console.
Click on Route 53 in the list of side menu options.

Image: The Route 33 side menu option.
In the Route 53 navigation pane, click Outbound endpoints located under the Resolver.

Image: The Route 33 menu.
On the Outbound endpoints page, click Create outbound endpoint.
Image: Clicking Create outbound endpoint.
On the Createoutboundendpoint page, input the following data:
1. Give the Outbound Endpoint a Name.
  
  Image: Naming the outbound endpoint.
2. Select the VPC you would like to associate with the Outbound Endpoint from among the drop-down options.
  Image: Selecting the VPC.
3. Select the Security group you would like to associate with this Outbound Endpoint from among the drop-down options.
  Image: Selecting a securty group.
4. Select IPv4 as the Endpoint Type from among the drop-down options.
  Image: Selecting IPv4 as the endpoint type.
5. Under the IP address #1 header, select the Availability Zone you would like to use for this Outbound Endpoint. Note that this is the IP clients will send DNS requests to, any additional IP addresses entered will act as redundant to the ﬁrst one to improve availability.
  
  Image: Selecting an availablitly zone for IP address #1.
6. Select the private subnet associated with the Availability zone.
  
  Image: Selecting a private subnet.
7. Choose an IP address for the Outbound Endpoint. You may choose to allow AWS to choose one automatically, or input one manually.
  
  Image: Selecting an IP address for the outbound endpoint.
8. Under the IP address #2 header, select the Availability Zone you would like to use for this Outbound Endpoint. Note that this is the IP clients where DNS requests are sent.
  
  Image: Selecting an availablitly zone for IP address #2.
9. Select the private subnet associated with the availability zone.
  Image: Selecting a private subnet associated with the availability zone.
10. Choose an IP address for the outbound endpoint. You can choose to allow AWS to choose one automatically, or input one manually.
  
  Image: Selecting the automatically generated IP address for the outbound endpoint.
11. Optionally input an additional IP addresses via the Add another IP address button.
  
  Image: Adding an additional IP address.
12. Optionally, add Input Tags if desired. Followed by clicking Submit to ﬁnish the creation of the Outbound Endpoint.
  Image: Clicking the Submit button to add an input tag.
13. If the creation of the Outbound Endpoint was successful, you will now see the newly created outbound endpoint on the Outbound endpoints page.
  
  Image: Confirmation of the successful creation of a new outbound endpoint.

This completes the creating a Route 53 Route 53 Outbound Endpoint process.

For additional information, see The Deployment Guide Integrating BloxOne™ Threat Defense with AWS' Route 53.

Creating a Route 53 Resolver Rule

In order to forward trafﬁc to Infoblox Threat Defense you must conﬁgure a resolver rule which allows Route 53 to forward trafﬁc to IP addresses deﬁned within. To create a Resolver rule, perform the following steps:

In the Route 53 navigation panel, click Rules located under the Resolver header.

Image: Locating Rules in the side navigation.
On the Rules page, click Create rule.

Image: Click Create rule on the Rules page to commence the rule creation process.
Conﬁgure the new rule:
1. Give the rule a Name.
  
  Image: Addng a name in the rule's Name field.
2. Set the Rule type as Forward.
  
  Image: Adding "Forward" in the Rule type text field
3. In the Domain name text field input the character ( '.' ) without quotations.
  Image: Inputting "." without the quotes in the Domain name text field.
4. Select any VPC(s) that you would like this rule to apply to via the dropdown menu located under the VPCs that use this rule header.
  Image: Applying a rule to a selected VPC or VPCs.
5. Select the outbound endpoint that was created earlier via the drop-down menu.
  
  Image: Selecting the output endpoint from among the drop-down menu options.
6. In the First Target IP address text field, input the address 52.119.41.100. Additionally, input 53 in the Port text field.
  
  Image: Adding the first target IP address.
7. Click Add target to input another IP address.
  Image: Adding the tardet IP address.
8. In the second Target IP addresses field input the IP 103.80.6.100. Additionally, add input 53 in the Port text field.
  Image: Adding a second target IP address.
9. Click Submit to conﬁrm the creation of the rule.
  
  Image: Clicking the Submit buton to create the new rule.
10. If the creation of the rule was successful, you will now see the new rule in the list of rules.
  Image: Verifying the successful addition of the rule to the rule list.