Page tree

Contents

BloxOne DDI allows you to deploy both DNS forwarding Proxy and BloxOne DDI DNS on the same on-prem host. After you have deployed the on-prem host, you can enable and disable the DNS forwarding proxy and the DNS services based on your business requirements. 

To deploy both DNS forwarding proxy and BloxOne DDI DNS on the same on-prem host, complete the following:

  1. Obtain the BloxOne Threat Defense and BloxOne DDI licenses from Infoblox.
  2. Deploy BloxOne DDI, as described in Deploying BloxOne DDI.
  3. Enable the DNS forwarding proxy and BloxOne DDI DNS services based on your business requirements, as described in Viewing and Modifying On-Prem Host Configuration.

The following sections describe the supported configurations when you have DNS forwarding proxy and BloxOne DDI DNS on the same on-prem host.

Enabling Only the DNS Forwarding Proxy Service

When you enable only the DNS forwarding proxy service and disable the BloxOne DDI DNS services on the same on-prem host, consider the following:

  • The DNS forwarding proxy, not BloxOne DDI DNS, provides DNS service to all DNS clients.
  • The DNS forwarding proxy listens on port 53.
  • The DNS forwarding proxy returns NXDOMAIN, if you have set up the security policy to block certain domains on BloxOne Threat Defense Cloud. For information about BloxOne Threat Defense Cloud, see BloxOne Threat Defense Cloud.

Enabling DNS Forwarding Proxy and BloxOne DDI DNS Services

When you enable both the DNS forwarding proxy and BloxOne DDI DNS services on the same on-prem-host, consider the following:

  • Both DNS forwarding proxy and BloxOne DDI are providing DNS service to the DNS clients.
  • BloxOne DDI forwards all recursive DNS queries to the DNS forwarding proxy.
  • BloxOne DDI listens on port 53 and DNS forwarding proxy listens on port 1053.
  • The DNS forwarding proxy listens on port 1053 and forward all recursive queries to BloxOne Threat Defense Cloud.
  • BloxOne DDI returns NXDOMAIN if you have set the security policy to block certain domains on BloxOne Threat Defense Cloud because the DNS response comes directly from the DNS forwarding proxy.
  • If you have configured forwarders in the global DNS configuration or DNS profile, the DNS forwarding proxy overrides that configuration.
  • The DNSSEC validation is set to "no" even if you have enabled DNSSEC on the on-prem host.

The following illustration gives an overview of how DNS forwarding proxy and BloxOne DDI DNS handle DNS queries:


  • No labels

This page has no comments.