Infoblox offers local on-prem resolution that provides protection against DNS exfiltration for on-prem hosts that resolve DNS queries using local internet breakouts. Local on-prem resolution works in conjunction with BloxOne DDI DNS and BloxOne Threat Defense DFP (DNS Forwarding Proxy). When you enable the local on-prem solution on an on-prem host that runs BloxOne Threat Defense Cloud DFP and BloxOne DDI DNS services, DNS queries that are not blocked locally can be resolved by the root DNS servers and authoritative DNS. Both DNS requests and responses are then forwarded to Infoblox Cloud for security policy validation. Local on-prem resolution improves the performance of web applications and provides local geographic DNS resolution.
On-prem resolution addresses conditions where the Internet is inaccessible, which can be due to misconfiguration or traffic routing issues when connected to DNS services. Either condition can render access to online resources inaccessible and unusable. Additionally, when using DNS resolution, there exists the possibility of data being compromised to third-party services. Local on-prem resolution eliminates conditions where the above scenarios can occur. Local on-prem resolution is beneficial to organizations that need to ensure their accessibility to online resources during potential service outages and also want to ensure their data remains secure.
When integrating BloxOne Threat Defense Business Cloud with BloxOne DDI Business or Advanced, or with BloxOne Threat Defense Advanced, DFP supports local on-prem resolution of DNS requests via a recursive DNS and validates policy compliance in BloxOne Threat Defense Cloud. To protect against data exfiltration via DNS, an exfiltration filter list is automatically maintained on DFP.
Local on-prem resolution is configured per security policy and disabled by default. For information on configuring security policies, see Configuring Security Policies.
Benefits of Using Local On-prem Resolution
BloxOne Threat Defense DFP or with BloxOne DDI DNS:
- Better web application performance and localization through a local geographic DNS resolution.
- Better protection against already identified DNS exfiltration domains.
- Extended protection by BloxOne Cloud.
- 100% resiliency and core security if cloud services are not reachable.
Take the following into consideration when using local on-prem host resolution:
- Slower resolution might occur when compared to Cloud-based DNS resolution. However, this affects only the initial request. Additional requests will resolve normally due to responses coming from the local cache.
- Potential privacy concerns due to being profiled for using un-encrypted communications with root and authoritative DNS servers.
Prerequisites for Using Local On-prem Resolution
- Local on-prem DNS resolution requires BloxOne Threat Defense and BloxOne DDI subscriptions
- DFP and BloxOne DDI DNS services should be running on the same on-prem host.
Local On-prem Resolution Workflows
Depending on your network infrastructure, you may need to optimize your DNS traffic and allow for local DNS resolution or internet breakouts. In this scenario, you can enable local on-prem resolution to improve the performance of your web applications while taking advantage of BloxOne Cloud security policy validation.
On the other hand, if you are concerned about losing privacy and that your organization may be profiled due to un-encrypted communications with root and authoritative DNS servers (DNS over TLS and DNS over HTTPs for communications between DNS servers), or if you do not want to include a fail open configuration, you can disable local on-prem resolution, which is the default configuration.
The following sections explain the workflows of the enabled and disabled local on-prem resolution.
Local On-Prem Resolution Enabled
The following diagram illustrates how DNS queries and responses are handled when local on-prem resolution is enabled.
When local on-prem resolution is enabled, all DNS requests will be resolved locally on the on-prem host. The DNS requests and responses will then be validated according to the configured policy in the BloxOne Cloud.
When local on-prem resolution is enabled, if a client wants to connect to “example.com”, the following occurs:
- The browser sends a request to the DNS Forwarding Proxy (DFP) which is integrated with BloxOne DDI DNS service.
- DFP’s internal policy engine will validate whether or not "example.com" is already a known domain that is used for DNS exfiltration, infiltration, or tunneling.
- If the request is not blocked locally, then BloxOne DDI will resolve the domain by sending requests to the root DNS servers and the authoritative DNS servers to verify the TLD ( ".com") and the domain name ( "example.com").
- The authoritative DNS responds back.
- The request and the response will be forwarded to BloxOne Cloud for security policy validation.
- If the request is identified as malicious or if it should be blocked by a policy, then the response will be altered.
- DFP will cache the results and respond back to the client.
- The client will (or will not) connect to "example.com," depending on the outcome of the response.
Local On-prem Resolution Disabled
In the default disabled mode, local on-prem resolution, there are no changes to how the DNS service performs.
With local on-prem resolution disabled, a client will connect to DNS services by default. The following diagram illustrates the workflow of a disabled local on-prem resolution.
Enabling and Disabling Local On-prem Resolution for a New Security Policy
To enable local on-prem resolution, you must toggle it on in the security policy (on the policy page). For information on configuring security policies, see Configuring Security Policies.
For information on adding local on-prem resolution to a policy rule, see Adding Policy Rules and Setting Precedence.
To enable or disable local on-prem resolution for a new security policy, complete the following:
- From the Cloud Services Portal, click Policies -> Security Policies. Then click Create located on the top action bar.
- On the Create New Security Policy page, complete the following:
- Local On-prem Resolution: To enable local on-prem resolution for a security policy, toggle the switch from disabled to enabled. To disable local on-prem resolution support for a security policy, toggle the switch from enabled to disabled.
For information on configuring security policies, see Configuring Security Policies.
Adding Policy Rules for Local On-prem Resolution
You can add custom lists, feeds and Threat Insight, category and application filters to your policy rules. Depending on your business requirements, you can add as many feeds and Threat Insight, custom lists or category filters as you need and apply them to different security policies. Note that you must first define a custom list or a category filter before you can add it to the security policy. For information about how to create a custom list, see Creating Custom Lists. For information about how to add category or application filters, see Configuring Filters.
To add policy rules, apply actions, and set precedence, complete the following:
- On the Policy Rules page of the Create New Security Policy wizard, click the Add Rule menu and choose one of the following policy types:
You can perform the following for each rule:
- Click Select List to view available rules for the respective policy type.
- Click the Action menu to set the action for each policy rule. For more information about what each action means, see About Rule Actions.
- Set the precedence order for a policy rule by clicking the up and down arrows at the end of each row to move the rule to its desired rank. The system applies policy rules based on the precedence order. Although you have the flexibility to set precedence for each rule, it is important that you understand the ramification of putting certain policy rules before others. For more information, see Security Policy Precedence.
- Choose a policy rule and click Remove to remove it from the list.
- Custom List: Choose this to add a custom list to the policy. When you click a custom list, you can view the Threat Level and Threat Confidence. When you are ready, click Select to add the custom list to the policy. Custom lists can be either allow lists or block lists, depending on the actions that you set upon them. For more information about custom lists, see Custom Lists.
- Feeds and Threat Insight: Choose this to add a feed or Threat Insight to the policy. When you click a feed or Threat Insight, you can view the Threat Level and Threat Confidence. When you are ready, click Select to add the feed or Threat Insight to the policy. For more information, see Viewing Active Threat Feeds and Threat Insight.
- Category Filter: Choose this to add a category filter to the policy. Choose a category filter and click Select to add the category filter to the policy. Category filters are content categorization rules that allow you to detect and filter internet content and traffic that you want to allow or block. Choose the name of the category from among the Select List options under the NAME menu to add to your security policy. Choose an action type from among the action options under the ACTION menu to add to your security policy. For more information, see Configuring Filters.
- Application Filter: Choose this to add an application filter to the policy. Choose an application filter and click Select to add the application filter to the policy. Application filters are application categorization rules that allow you to detect and filter internet content and traffic that you want to allow or block. Choose the name of the application from among the Select List options under the NAME menu to add to your security policy. Choose an action type from among the action options under the ACTION menu to add to your security policy. You can also add a custom application filter by clicking on the New Filter option from among the Choose Application Filter drop-down menu options. To create your custom application filter, you must provide a name for the custom application list. A description for the custom list is optional. Under APPLICATIONS, select from among the available options in the AVAILABLE list of applications to add an application to your custom application filter.
You can add multiple rule types to a security policy. To do so, click on the Rule menu and add another rule type until you have finished adding rules to your security policy. For additional information on adding rules to a security policy, see Adding Policy Rules and Adding Precedence.
For additional information on configuring filters, see Configuring Filters.
- TO use local on-prem resolution, on the Policy Rules page of the Create New Security Policy wizard under the ACTION menu, select Allow - Local Resolution as the default action when configuring local on-prem resolution.
- After you add policy rules, set actions, and precedence, click Finish to complete policy set-up, or click Next to add bypass codes. For more information, see Adding Bypass Codes to a Security Policy.
- Once you have added your bypass codes, click Next to view the summary.
After reviewing the security policy summary, click Save & Close to save the security policy configuration.
Local On-prem Resolution Policy Decision-making
For a DNS query received from the client, a policy check is performed to check if local on-prem resolution is enabled. Decision actions based on the breakout configuration will be used by BloxOne DDI to perform the corresponding actions as follows:
- ALLOW: Returns the response from the local resolution to the client.
- BLOCK: Returns NXDOMAIN to the client.
- CUSTOM (i.e REDIRECT): Returns the rewrite value to the client and in the case of the rewrite value being the CNAME, BIND resolves the CNAME target. Note that the resolution result of the CNAME target will not be sent for re-validation.
- LOCAL with TD: Locally resolves the query while contacting the Onprem Policy Cache (OPC) for a policy check on the response.
- FULL TD: Forwards the query to BloxOne threat Defense for both resolution and policy check on the cloud.
Local On-prem Resolution per Application
To use local on-prem DNS resolution per application, a BloxOne Threat Defense subscription is required. Also, a third-party fallback DNS server should be configured with DNS Forwarding Proxy (DFP). Select Allow - Local Resolution as the default action type from the available options under the ACTION menu on the Policy Rules page of the Security Policy wizard when adding an application filter to the security policy. The Allow - Local Resolution action type only functions when configuring application filters.
Local on-prem resolution per application works similarly to local on-prem resolution for domains, with the difference that it works specifically with web-based applications. For organizations relying on the use of web-based applications such as Microsoft Office 365, Microsoft Azure, Salesforce, Dropbox, Google suite etc, a security policy specifically created to enforce local on-prem resolution when using these applications.
Using local on-prem resolution, when a request for the application is received, When a request is received for one of the applications, DFP will use configured third-party fallback DNS servers to resolve the request. It is important that the DNS server is located nearby. Please be sure that such a DNS server is nearby. BloxOne Endpoint will forward the request to the network-provided DNS servers.
When Allow-Local Resolution has been selected as the default action type for an application filter, then the on-prem policy engine will decide what policies require checking locally an do not need to be checked in the cloud and what domains need to be bypassed.
Requests other than for one of the applications as configured in the security policy, the request will be forwarded to BloxOne Cloud as usual.
Warning: The applications configured in the security policy must be trusted as other security validations are bypassed. This is not the case if you are using a secure third-party DNS service such as NIOS configured with a DNS Firewall feed.
Creating and Adding Application Filters to a Security Policy Configured with Local On-prem Resolution
Application filters are a set of rules that BloxOne Threat Defense Cloud uses to detect and filter specific Internet content. The Application Classification Service (ACS) provides accessibility to applications based on their category or subcategory. Using application filters, you can set security policies based on whether you want to allow an app to access the Internet at all times, or if you want the app to use local resolution when used with BloxOne DDI appliances.
Only for Application Filter if set to Allow-Local resolution when , the OPE will decide that policies needs to be check locally and doesn’t need to be checked in cloud and this domain needs to be bypassed.
To create an application filter, complete the following:
- From the Cloud Services Portal, click Policies -> Security Policies.
- On the Security Policies page, click the Filters tab located above the top Action bar.
- On the Filters page, click Create Filter on the top Action bar.
- From among the options displayed (Create Category Filter or Create App Filter), click Create App Filter.
- On the Create Application Filter page, complete the following:
- Name: Enter a name for the content application filter. Ensure that you use a unique name for each filter. This is a required field.
- Description: Enter a brief description of the filter. You can enter up to 256 characters.
- Productivity: Microsoft Sharepoint, Microsoft 365.
- Personal Storage: Microsoft OneDrive.
- Email: Microsoft Exchange.
- Video Conferencing: Skype for Business, Microsoft Teams.
To add an application filter to a security policy configured for local on-prem resolution, see Adding Policy Rules and Setting Precedence to a security policy. .
For information on configuring a security policy for use with local on-prem resolution, see Configuring Security Policies.
For information on configuring application filters for use with local on-prem resolution, see Configuring Filters.
This page has no comments.