A forwarder is essentially a name server to which all other name servers first send queries that they cannot resolve locally. The forwarder then sends these queries to DNS servers that are external to the network, avoiding the need for the other name servers in your network to send queries off-site. A forwarder eventually builds up a cache of information, which it uses to resolve queries. This reduces Internet traffic over the network and decreases the response time to DNS clients. This is useful in organizations that need to minimize off-site traffic, such as a remote office with a slow connection to a company's network.
You can select any Grid member to function as a forwarder. You must configure your firewall to allow that Grid member to communicate with external DNS servers. You can also configure the NIOS appliance to send queries to one or more forwarders. You can define a list of forwarders for the entire Grid, for each Grid member, or for each DNS view.
If your network configuration includes Infoblox BloxOne Cloud, you can configure NIOS Grid members (physical or virtual appliance) to forward recursive queries to BloxOne Cloud. For more information about BloxOne Cloud, see BloxOne Threat Defense Cloud. For information about how to configure NIOS members as a DNS forwarding proxies, see Forwarding Recursive Queries to BloxOne Cloud.
To configure forwarders for a Grid, member, or DNS view:
- Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon.
DNS View: From the Data Management tab, select the DNS tab -> Zones tab -> dns_viewcheck box -> Edit icon. Note that if there is only one DNS view— for example, the predefined default view—you can just click the Edit icon beside it.
To override an inherited property, click Override next to it and complete the appropriate fields.
- Click the Forwarders tab.
- Click the Add icon.
- Enter an IP address in the text field. The field supports entry for both IPv4 and IPv6 values.
- To remove a forwarder, select the IP address from the Forwarders list, and then click the Delete icon.
- To move a forwarder up or down on the list, select it and click the Up or Down arrow.
- To use only forwarders on your network (and not root servers), select the Use Forwarders Only check box.
- Select the Add client IP, MAC addresses, and DNS View name to outgoing recursive queries check box to include the client IP address, MAC address, and name of the DNS view of the client from which the DNS query was initiated, to outgoing recursive queries. For information on recursive queries, see Enabling Recursive Queries. Selecting this option includes EDNS0 custom options.
- Select the Copy client IP, MAC, and DNS View name to outgoing recursive queries check box to copy and validate the client IP address, MAC address, and name of the DNS view from incoming queries to outgoing queries. If this check box is selected and:
- Only one custom option is present, the IP address, MAC address, and DNS view name are copied to the outgoing query without adding the missing option. An incoming query can contain only one IP address or MAC address or DNS view name.
- No custom option is present, if the Add client IP, MAC addresses, and DNS View name to outgoing recursive queries check box is selected, valid IP address ,MAC address, and DNS view name EDNS0 options are copied from incoming queries to outgoing recursive queries without any change. If the Add client IP, MAC addresses, and DNS View name to outgoing recursive queries check box is not selected, no options are added to outgoing recursive queries.
For more information about EDNS0 options, see Configuring DNS Traffic Control Properties and Using Extension Mechanisms for DNS (EDNS0).
- Save the configuration and click Restart if it appears at the top of the screen.
Infoblox recommends that you do not include client IP addresses and MAC addresses in queries directed to non-Infoblox DNS servers and that you include the addresses in only those queries directed at Infoblox DNS servers.
- Forwarding zones (also known as conditional forwarders) do not support the Add client IP, MAC addresses, and DNS View name to outgoing recursive queries and the Copy client IP, MAC addresses, and DNS View name to outgoing recursive queries check boxes.
- Only BIND-based DNS servers support these options. Unbound-based DNS servers do not support these options.
Forwarding Recursive Queries to BloxOne Threat Defense Cloud
To forward recursive queries to BloxOne Cloud, you must first register each NIOS member in your Grid as a DNS forwarding proxy through the Cloud Services Portal. When you register a Grid member, the DNS forwarding proxy software is installed on the member. The DNS forwarding proxy embeds the client IP addresses in the DNS queries before forwarding them to BloxOne Cloud. The communications are encrypted and client visibility is maintained. Once you set up a DNS forwarding proxy on a Grid member, all recursive queries for that member will be forwarded to a local DNS forwarding proxy by the NIOS DNS service. It will also cache responses to speed up DNS resolution for future queries. For information about configuring DNS forwarding proxies, see Configuring DNS Forwarding Proxy in BloxOne Cloud.
Upon registering a Grid member as a DNS forwarding proxy, you will receive a unique API Access key through the Cloud Services Portal. You must use this API Access key when you enable the forwarding of recursive queries to BloxOne Cloud on the Grid member. You can enable this feature only at the Grid member level. Note that an API Access key is unique for each member, which means that you must register each member individually through the Cloud Services Portal.
Make sure that port 443 is open against its respective domain for DNS forwarding proxy to work between NIOS and BloxOne Threat Defense. For a list of ports and domains used by the BloxOne on-prem hosts, see the
Note: Make sure that you enable recursion on the member that you wish to use as a forwarding proxy to BloxOne Cloud. For information about how to enable recursion on a Grid member, see Enabling Recursive Queries.
Note the following when you enable recursive query forwarding on a Grid member:
- DNS forwarding proxy does not work on systems configured in the IPv6-only mode.
- Grid Manager ignores global forwarders and all recursive queries are send to BloxOne Cloud.
- Unbound is not supported on a Grid member when it uses Bind to send recursive queries to BloxOne Cloud. For information about Unbound, refer to the Infoblox DNS Cache Acceleration Application Guide.
- There might be a significant performance impact on your appliance and network during the DNS forwarding proxy installation process depending on the network connectivity between NIOS and BloxOne Cloud. Every node will have to install the DNS forwarding proxy before serving DNS recursive queries, which includes the HA nodes.
- When you enable DNS forwarding to BloxOne Cloud, the QPS (query per second) throughout might vary, depending on your appliance models and the cache hit ratios. You might see a bigger performance impact when the cache hit ratio is lower. In general, NIOS can forward at least 3,500 QPS to BloxOne Cloud.
To enable a NIOS Grid member to forward recursive queries to BloxOne Cloud, complete the following:
- Log in to the Cloud Services Portal at csp.infoblox.com.
- From the Cloud Services Portal, click Manage → DNS Forwarding Proxy.
- On the DNS Forwarding Proxy page, click the + icon at the top Action bar.
- On the Adding DNS Forwarding Proxy page, complete the following:
Type: From the drop-down list, select DNS Forwarding Proxy on Infoblox NIOS.
DNS Forwarder Name: Enter the name of the DNS forwarding proxy. Ensure that you use a unique name for each proxy.
Description: Enter a brief description for the proxy. For example, you can enter a site name to identify where this proxy is located.
- Click Save. BloxOne Cloud saves the newly created forwarding proxy and automatically generate an API access key.
- In the API Access Key Generated dialog, copy the key from the API Access Key field. Note that this key is unique for each DNS forwarding proxy.
- Click OK.
- Log in to Grid Manager.
- Member: From the Data Management tab, select the DNS tab -> Members tab -> member check box -> Edit icon.
- In the Member DNS Properties editor, click the Forwarders tab, and then complete the following:
- Enable Recursive Queries Forwarding to BloxOne Cloud: Select this check box to enable the NIOS member to forward recursive queries to BloxOne Cloud.
- Access Key: Enter the unique API Access Key that is generated through the Cloud Services Portal after registering the NIOS appliance as the DNS forwarding proxy server. This is unique for each Grid member.
- Name Server for DNS Forwarding Proxy: Enter the IP address of the local DNS resolver. This IP address is mandatory and will be used only for the DNS forwarding proxy.
- Fall back to the default resolution process if BloxOne Threat Defense Cloud does not respond: When you select this check box, the recursive queries will be forwarded to the local root name servers in case of failure in the BloxOne Cloud or if BloxOne Cloud fails to resolve recursive queries. For newly configured DNS forwarding proxies in NIOS, Infoblox recommends that you keep this option selected until you have verified that the NIOS proxies are functioning properly. In the Cloud Services Portal, go to Manage → DNS Forwarding Proxy to ensure that the statuses for the NIOS proxies that you have registered are Active.
- Click Save & Close. The Warning dialog box appears when you enable the Recursive Queries Forwarding to BloxOne Cloud option, click Yes to save the changes.
Note: It might take up to 30 minutes for all the configurations to take effect on the member. Once BloxOne Cloud is up and running, you must restart the DNS service before the member can forward recursive queries to BloxOne Cloud.
This page has no comments.