The NIOS 8.3 release includes the following new features and enhancements:
Caching Threat Category Information from the Cloud Services Portal (RFE-9249)
You can configure the Cloud Services Portal and schedule the entire threat indicator database download from the Cloud Services Portal. The threat category information is then sent to the reporting server to augment RPZ hits and reports are generated. Caching threat category information from the Cloud Services Portal helps enhance the performance of threat reports as data is fetched from the cache that is stored locally.
You can also download incremental updates from the threat indicators of the Cloud Services Portal. The incremental threat indicator is downloaded only after the whole threat indicator is downloaded from the Cloud Services Portal.
You can configure threat indicator caching by using the Threat Indicator Caching > Basic tab in the Grid Reporting Properties editor. For more information, see Grid Reporting Properties.
Collecting NIOS Database Performance Data (RFE-9550)
You can now download Ptop log files that comprise database metrics which you can use to determine the health of the NIOS database and baseline its performance. Based on the database performance, you can ascertain the impact of changes such as adding a Grid member or enabling features such as Grid replication for DNS zones or multi-master DNS, on the database performance. You can download the Ptop log files by using a WAPI call. For more information, see Collecting Database Performance Data.
Adding TLSA Records in Unsigned Zones (RFE-10324)
You can now add TLSA records in both DNSSEC signed zones or unsigned zones.
Infoblox Subscriber Services
The Infoblox Subscriber Services solution is a scalable, carrier-grade solution that provides visibility to subscriber activities and complete filtering capabilities by combining advanced DNS services with subscriber identification and threat protection policies. The Infoblox Subscriber Services solution includes the following:
- Infoblox Subscriber Insight that automates the process of identifying infected subscriber devices that are trying to connect to malicious domains. This solution augments the malware incident logs with the subscriber identity information received via RADIUS accounting messages and generates a report to display RPZ violations per subscriber ID. You can also identify subscribers who access specific domains for purposes other than security.
- Infoblox Subscriber Policy Enforcement that enables the selection of applicable policies for the subscriber. Policies are any combinations of RPZs. You can use this product to create value-added service plans or packages for different subscribers.
- Infoblox Subscriber Parental Control enables subscribers to manage Internet access and content for their mobility devices, houses, families, or corporations. Subscribers can restrict or allow access to content based on content categories and domains. Note that this feature works with Infoblox Harmony 22.214.171.124 or later. For more information, refer to the Infoblox Harmony Release Notes.
Support for EDNS0 Local-ID that is used to identify subscribers behind a home gateway network.
- EDNS0 category support.
- Support for per subscriber blacklist and whitelist domains.
- CEF log and reporting enhancements.
- Support for Splunk REST APIs.
- Alternate subscriber ID to identify the fixed line or home gateway router.
- MGMT replication that allows accepting the NAS RADIUS traffic over the MGMT interface only.
- Support for the proxy server to download the category feed.
Support for guest indicator for fixed line deployments to identify unknown local ID
- Support for termination of all user connections traversing Multi-Services Proxy (MSP) upon activation of the block-all Parental Control Policy (PCP), or any PCP change for subscribers behind the home gateway (CPE) when identified by the EDNS0 local ID. You can reestablish connections depending on the new PCP value.
Note: To support proxy subscribers, the configuration must first resolve locally by ensuring that 127.0.0.1 is the first in the list of resolves. You can do this either globally through Grid DNS properties -> DNS Resolver, or locally through Member DNS properties -> DNS Resolver.
- You can now configure the access token to use the Subscriber Data Repository REST API. You can configure it in application.properties and set to false by default.
- You can now create service policies that can be associated with specific servers. These are blocking servers through which traffic or web pages that conform to the service policies you create are blocked and are redirected to the blocking VIP addresses. You can specify additional IP addresses that will act as blocking servers.
- This NIOS release adds the
set subscriber_secure_data never_proxyand the
show subscriber_secure_data never_proxyCLI commands. You can use these commands to set and view the hexadecimal characters that represent the list of categories in the global list used to resolve DNS queries without proxying to an MSP (Multi-Services Proxy) server.
- You can now set the
Proxy-Allsetting to 1 to have DNS queries processed by NIOS. The MSP server will process the queries only if NIOS is unable to categorize the DNS queries.
For more information, see Infoblox Subscriber Services.
Flex Grid Activation for Managed Services License
Infoblox introduces the NIOS Flex Grid Activation for Managed Services license. This license is similar to the Flex Grid Activation license, but is meant for managed services deployments. The license enables you to access the following three new reports in addition to the other Infoblox reports:
- Managed DDI Peak IP Usage Trend
- Managed DNS Peak Usage Trend
- Managed DDI Features Enabled
Flex Grid Activation License
The Flex Grid Activation License now supports the following features in addition to the previously supported features:
• Cloud Network Automation (only when IB-FLEX is the Grid Master)
• Captive Portal
Outbound Feature Enhancements
This NIOS release adds the following new enhancements to the outbound feature when the Security Ecosystem license is installed:
- Notification rule supports Security ADP, Schedule, and Object Change Discovery Data event types. Notifications are also sent for network container changes and object change discovery data. For more information, see Configuring Notification Rules.
- Infoblox allows you to exclude the name field for each step, modify endpoint configuration during template execution, repeat a parse operation, and use template functions that will contain the list of steps to be executed. New parse operations are introduced and existing parse operations are enhanced to evaluate or remove strings. For more information, see About Outbound Templates.
- You can configure query FQDN for outbound threat protection events and choose maximum labels in FQDN that can be configured at the Grid and/or member level. For more information, see Enabling Query FQDN for Outbound Notifications.
- ActiveTrust Cloud Clients: This release supports the use of Infoblox ActiveTrust Cloud Client to allow interaction between the ActiveTrust Cloud platform and external outbound endpoints using the Outbound notifications feature. The ActiveTrust Cloud Client uses threat API calls to request security events from the Cloud Services Portal and convert data to outbound events. With the ActiveTrust Cloud Client, you can periodically pull blocked or locked malicious DNS requests. Infoblox enables you to configure notification rules to filter incoming events using the following fields: Threat Origin (NIOS, ActiveTrust Cloud), ActiveTrust Cloud Hit Type (DNS RPZ, Threat Analytics), ActiveTrust Cloud Hit Class and ActiveTrust Cloud Hit Property. For more information, see Configuring ActiveTrust Cloud Clients for Outbound.
Support for Cisco ISE 2.3 and 2.4
NIOS now supports integration with Cisco Identity Services Engine (ISE) versions 2.3 and 2.4.
Prefix Length Mode for DHCPv6 (RFE 8836)
You can now set the prefix length mode for DHCPv6 servers. The prefix length mode determines the prefix selection rules employed by the DHCPv6 server when a DHCPv6 client sends an empty prefix with just a prefix length as a hint for the server to specify the required prefix length. For information about the prefix length mode options available, see the “Setting the Prefix Length Mode for DHCPv6” topic in the NIOS online documentation.
Including View Names as an EDNS Option (RFE 8238)
You can now include DNS view names as an EDNS option in recursive queries forwarded from NIOS. For more information, see the “Specifying Forwarders” section in the “Using Forwarders” topic in the NIOS 8.3 online documentation.
Splunk Reporting API Calls (RFE 8912)
API calls made from Splunk reporting to the Cloud Services Portal now use the configured proxy server.
Infoblox ADP Performance Improvements
DCA first: You can now configure NIOS such that DNS queries and packets are first passed on to DNS Cache Acceleration (DCA). If the query is valid and the answer is in the cache, the query is answered by DNS Cache Acceleration. To configure this, you must select the Enable DNS responses from acceleration cache before applying Threat Protection rules check box. For more information, see the “Handling DNS Queries Through DNS Cache Acceleration” topic in the NIOS 8.3 online documentation.
IB-FLEX support on AWS
The IB-FLEX platform is now supported on AWS. For more information, see About IB-FLEX.
CLI commands to change the IP address of the Docker bridge
NIOS supports the following new CLI commands to change the IP address of the Docker bridge when DNS forwarding proxy is enabled on a member:
- set docker_bridge
This command changes the current Docker bridge IP address to the IP address that you specify.
- show docker_bridge
This command displays the current Docker bridge settings.
HTTP Strict Transport Security Support (RFE-7286)
NIOS now supports the HTTP Strict Transport Security (HSTS) security policy and communication between the browser and the NIOS server occurs only through HTTPS. The HSTS header is added to avoid man-in-the-middle (MITM) attacks that may occur through HTTP requests.
Unique Session ID (RFE-8268)
NIOS now generates a unique session ID and rejects incoming requests that do not have the unique ID. Browser security headers are added to avoid MITM, CSRF, XSS, and MIME attacks.
Super Host (RFE-297)
With this NIOS release, Infoblox introduces configuration of super hosts. A super host is a collection of resource records or fixed addresses that belong to a single network device, such as a router or a switch, or an application server. You can configure and manage multiple interfaces, IP addresses, and DNS and DHCP records that are associated with the same physical or virtual device. For more information, see Configuring Super Hosts.
DTC SRV Records (RFE-7950)
You can now create, update, and delete SRV records in a DTC server. For more information, see Managing DNS Traffic Control Objects.
Support of Wildcards in the Certificate Subject (RFE-311)
NIOS now supports SSL/TLS (x509) server certificates with a ‘*’ in the subject. For more information, see Managing Certificates.
DNSSEC Secure Responses (RFE-6478)
You can now configure the appliance to secure responses for domains that are not DNS secure.
DTC Health Checks (RFE-7753)
You can choose the DTC health monitors whose DTC health checks are considered when calculating the health status of a member in a pool. For more information, see Configuring DTC Monitors for Health Check.
Support for CSV Import/Export of DTC Objects (RFE-6643)
This release of NIOS provides CSV import and export for DTC objects. This feature:
- Enables external parsing of DTC configuration data
- Enables historical backups of DTC configurations
- Facilitates migrations from competitive load balancing solutions
For more information, see DTC Header Items.
Enhancement for DTC Persistence (RFE-7791, RFE-7790)
From this NIOS release onwards, even if the DNS restart takes longer than the value specified in the Persistence field in the DTC LBDN wizard, the DNS server now directs the request to the same server. This provides persistence redundancy so that applications can maintain state even when Grid member services are interrupted.
For more information, see Managing DNS Traffic Control Objects.
Back Up DTC Configuration Files (RFE-7948)
You can back up and restore DTC configuration files in the same way as you would back up configuration files or discovery database files. For more information, see Backing Up DTC Configuration Files.
Enabling Fixed RRset Ordering for NAPTR Records (RFE-7744)
You can now enable fixed RRset ordering for the authoritative zone to save the order of the NAPTR records that are imported to the zone using CSV import.
For more information, see Enabling Fixed RRset Ordering for NAPTR Records.
Including Client IP and MAC addresses to Outgoing Queries (RFE-8238)
When you configure NIOS to forward recursive queries to ActiveTrust Cloud, you can now include the following in the outgoing recursive queries: the IP address and the MAC address of the client from which the DNS query was initiated as well as the EDNS0 custom options. You can also configure NIOS to copy and validate the client IP address and MAC address from incoming queries to outgoing queries. Note that this feature is designed to work with forwarding recursive queries to legitimate Infoblox DNS servers.
For more information, see Using Forwarders.
New OIDs for ibPlatformOne MIB (RFE-8520)
This release of NIOS introduces the following new OIDs for the ibPlatformOne MIB file:
For more information about the OIDs, see SNMP MIB Hierarchy.
Mixed SRIOV/Virtio Support with NIC Bonding on OpenStack (RFE-8007)
NIOS now supports mixed SRIOV/Virtio support with NIC Bonding on OpenStack.
Generating CSR using SHA-384 (RFE-7569)
NIOS now supports CSR and self-signed certificates using SHA-384 and SHA-512.
Support for BGP 4-byte ASN (RFE-6862)
This release of NIOS supports BGP 4-byte Autonomous System Numbers (ASN) configurations.
Changes to the default values of unbound parameters (RFE-8301)
Default values for the following unbound parameters have been updated:
|Unbound Parameter||Default Value|
Forwarding Recursive Queries to ActiveTrust Cloud
You can now configure NIOS to forward recursive queries to ActiveTrust Cloud. For more information, see Using Forwarders.
Network Insight Enhancements
This NIOS release adds the following enhancements for Network Insight:
- Discovery Diagnostics for Non-IPAM Networks (RFE-6804): Network Insight can now perform discovery diagnostics for devices or IP addresses that are associated with networks that you have not defined in IPAM. When you select a discovery member for an IP address that does not exist in any IPAM network or is excluded from discovery, Network Insight can now create a discovery diagnostic task for the IP address.
- Additional Discovered Data: Additional wireless discovery data is now included with the endpoint IP addresses being synchronized with NIOS. The additional data includes wireless access point name, wireless access point IP address, and SSID. This data complements the wireless controller that is already being synchronized.
- Discovery Best Practices Guide: A brand new document that discusses best practices for discovering new devices on networks. For more information, see <...>.
- Updated NetMRI 7.2.2 NIOS 8.3 Device Support List: Added new devices verified for work with NetMRI 7.2.2 and Network Insight 8.3. For more information, see NetMRI 7.2.2 NIOS 8.3 Device Support List.
Enhancements for Software ADP DNS Cache Acceleration Platforms
This NIOS release adds the following enhancements for Software ADP DNS Cache Acceleration Platforms:
- Support for accelerated Software ADP on the following appliances: IB-1415, IB-1425, IB-2215, IB-2225, IB-4015, and IB-4025 (both physical and virtual platforms)
- Support for non-accelerated Software ADP on IB-2210 and IB-2220 platforms (both physical and virtual platforms) (RFE-7732)
- Support for sortlist and DNS64 features for vDCA on IB-FLEX platforms
VLAN Tagging Support
VLAN tagging is supported by all virtual appliances.
Subject Alternative Name Certificate Support (RFE-1256)
This NIOS release supports the use of Subject Alternative Name (SAN) in SSL certificates.
Support for ALIAS Records (RFE-3808)
NIOS now supports the creation of ALIAS record for a standard record type to ALIAS the root domain (apex zone) to another name. An ALIAS record can be used to host a website at a domain name without the "www" (or other) prefix when using the cloud services, such as Amazon Web Services, Azure VMs, GitHub pages, Heroku, and so on.
Support for CAA Resource Record (RFE-4537)
NIOS now supports the CAA (Certification Authority Authorization) DNS resource record. A CAA resource record enables domain owners to define the CAs (Certificate Authorities) that can issue certificates for a domain. When you define a CAA record, only the CAs listed in the records can issue certificates for the respective domain. With CAA, you can also define notification rules to manage requests for a certificate from a non-authorized CA. Infoblox represents flag values in the form of bits and allows you to define a value for Type (tag) other than the pre-defined values. For more information, see Adding CAA Records.
Enhancements for Nested AD Groups (RFE-7580)
In addition to the default nested AD group, you can now define multiple organizational units and add non-default AD admins and groups to these units. For more information, see Authenticating Admins Using Active Directory.
Cloud Certificates Management (RFE-8048)
You can now manage the CA certificate in NIOS for the public clouds AWS and Azure. You can upload valid CA certificates from the Grid Manager if the root CA expires. For more information, see Managing Certificates.
Support for Microsoft Azure Government cloud
This release of NIOS supports the Microsoft Azure Government cloud platform.
Support for Java 1.7 (RFE-5158)
You can make REST API calls using Java version 1.7 and later. For more information, see Using NIOS APIs.
DHCP Fingerprint Data Enhancement
Infoblox has upgraded the DHCP fingerprint file in the NIOS database, adding new fingerprints and changing some fingerprint descriptions. Thus, the appliance can now detect and identify additional devices and return new DHCP fingerprints, and you might also see changes in certain fingerprint descriptions.
Cisco ISE Endpoint Enhancements
- When adding a notification rule for a Cisco ISE endpoint, you can add the rule to PT appliances in NIOS 8.3.4. In other NIOS version, you can add a rule only to IB appliances.
- In NIOS 8.3.4, the Quarantine the end host action and Notify target data action are published through the subscribing member. Only the subscribing member can publish data to the Cisco pxGrid node.
New Policy for Subscriber Parental Control (RFE 8665)
NIOS can now receive a new AVP (Attribute Value Pair) called the PCC (Parental Control Category) policy from the RADIUS server. The PCC policy is a 128-bit string, and it defines how to service domains in a particular category.
Reporting Data Retention (RFE 9394)
You can now specify whether you want to retain reporting data and specify the number of days for which you want the data to be retained.
You can also configure the delete permission on reporting data for a local admin user who has superuser permissions by running the following new commands:
You can also select reporting data that you want to delete after enabling the
delete permission for local admin users who have superuser permission. For information about this feature, see the Deleting Reporting Data section in the About Reports topic in the NIOS online documentation.
NIOS SPPC Lease2RADIUS Installation (RFE 9520)
You can now add subscribers by using DHCP server logs. This procedure involves creating Python scripts and their associated init scripts in Linux to parse to DHCP log files and send RADIUS accounting request messages to a RADIUS accounting server. For detailed installation and configuration instructions, see the NIOS SPPC Lease2RADIUS Installation and Configuration Guide.
NAT Port as IPSD (RFE-9527)
NIOS now supports CGNAT (Carrier Grade NAT). Multiple subscribers share the same public IP address. In specific NATing algorithms that use port block (known port range allocation), the IP address and the first usable port (which is a new AVP called Deterministic-NAT-Port) for the subscriber are provided in a RADIUS accounting AVP. You can select this AVP from the IP Space Discriminator drop-down list. For more information, see Scaling Using Subscriber Sites.
This page has no comments.