The NIOS 8.4 release includes the following new features and enhancements:
The DHCP server can now update host object names and fixed addresses for IPv6-only devices. It can also enable DDNS on an IPv6-only Grid member.
This release of NIOS introduces the following commands:
set restart_anycast_with_dns_restart: Sets DNS and anycast start and restart sequences. This command brings down the anycast service during the DNS restart or stops and redirects the traffic on the IP address of anycast to another site. You can use this command only on Grid Master.
show restart_anycast_with_dns_restart: Displays the status of the
NIOS 8.4.8 uses the upgraded Splunk version 7.2.6
You can now download Ptop log files that comprise database metrics, which you can use to determine the health of the NIOS database and baseline its performance. Based on the database performance, you can ascertain the impact of changes such as adding a Grid member or enabling features such as Grid replication for DNS zones or multi-master DNS, on the database performance. You can download the Ptop log files by using a WAPI call. For more information, see Collecting Database Performance Data.
You can configure the Cloud Services Portal and schedule the entire threat indicator database download from the Cloud Services Portal. The threat category information is then sent to the reporting server to augment RPZ hits and reports are generated. Caching threat category information from the Cloud Services Portal helps enhance the performance of threat reports as data is fetched from the cache that is stored locally. You can also download incremental updates from the threat indicators of the Cloud Services Portal. The incremental threat indicator is downloaded only after the whole threat indicator is downloaded from the Cloud Services Portal.
You can configure threat indicator caching by using the Threat Indicator Caching > Basic tab in the Grid Reporting Properties editor. For more information, see Grid Reporting Properties.
You can now add TLSA records in both DNSSEC signed zones and unsigned zones.
NIOS is now supported on Infoblox IPAM Driver for Red Hat OpenStack Platform version 13. For details about installing Infoblox IPAM Driver for Red Hat OpenStack Platform and configuring Grid Manager on the platform, see the Infoblox IPAM Driver for Red Hat OpenStack Platform 13 documentation.
NIOS is now supported on Infoblox IPAM Driver for Red Hat OpenStack Rocky version. For details about installing Infoblox IPAM Driver for Red Hat OpenStack Rocky and configuring Grid Manager on the platform, see the IPAM Driver for OpenStack Neutron documentation.
You can now choose for NIOS to support SMTP authentication over TLS authentication. NIOS authenticates against the SMTP server using the user name you specify. For more information, see Notifying Administrators.
You can specify the same client ID and client secret for a vDiscovery job in which multiple subscriptions are associated with a single application in Microsoft Azure. For more information, see Configuring vDiscovery Jobs.
You can now specify the maximum and minimum levels of subdomains to block tunneling instead of specifying only the top-level domain. For more information and examples, see About Infoblox Threat Insight.
You can now view and download the latest whitelist files based on the default or a custom schedule. For more information and examples, see About Infoblox Threat Insight.
This version of NIOS introduces the following new commands that lets you transfer the Grid Manager database backup file to a remote SCP server:
The Threat Analytics license is now applicable to the entire Grid and not just specific members. If you now install the Threat Analytics license, it is applied to all the Grid members. For more information about Grid-Wide Threat Analytics license, see About Infoblox Threat Insight.
The IP Address column in the global search results is now updated to IP Address/Data. For resource records that do not have an IP address, this column displays the value that you entered in another field when creating the record. This field varies depending on the type of record. For more information, see Finding and Restoring Data.
You can now navigate from a VLAN object to the IPAM objects that it is linked to. The IPAM objects are displayed as hyperlinks in the Assigned To column of the VLAN tab. You can click the hyperlink to view the IPAM object details. For more information, see Configuring VLAN Objects.
You can now specify a Data Connector port number if you have configured a Data Connector as an SCP source into which to send the DNS log files. Specify the port number in the new TCP Port field in the Data Management > Logging tab. You can specify a range between 1 to 65535. The default port number is 22. For more information, see Capturing DNS Queries and Responses.
You can now use Infoblox vNIOS for AWS to start DHCP services for private networks. For more information, see the online Installation Guide for vNIOS for AWS at Installation Guide for vNIOS for AWS.
This version of NIOS introduces a REST API to create a Microsoft server. NIOS supports CREATE, MODIFY, DELETE, and other operations for the Microsoft server. For details, see the NIOS WAPI documentation.
The show config command has been enhanced with the following new arguments:
For more information, see show config.
NIOS now supports inherited fields for Network (network or IPv6 network), Range (range or IPv6 range), and Fixed Address (fixed address or IPv6 fixed address) objects using WAPI. For details, see the NIOS WAPI documentation.
The severity of the syslog messages when IP addresses are skipped in a CSV import during a NETMRI and IPAM synchronization has changed from Error to Info/Warning.
NIOS can now receive a new AVP (Attribute Value Pair) called the PCC (Parental Control Category) policy from the RADIUS server. The PCC policy is a 128-bit string, and it defines how to service domains in a particular category. If the PCC category matches a category, then a CEF log message is logged as a warning in the syslog for domains in that category; however, these domains are not blocked.
You can now specify whether you want to retain reporting data and specify the number of days for which you want the data to be retained. You can also configure the delete permission on reporting data for a local admin user who has superuser permissions by running the following new CLI commands:
You can also select reporting data that you want to delete after enabling the delete permission for local admin users who have superuser permission. For information about this feature, see the Deleting Reporting Data section in the About Reports topic.
You can now add subscribers by using DHCP server logs. This procedure involves creating Python scripts and their associated init scripts in Linux to parse to DHCP log files and send RADIUS accounting request messages to a RADIUS accounting server.
For detailed installation and configuration instructions, see the NIOS SPPC Lease2RADIUS Installation and Configuration Guide at https://drive.google.com/drive/folders/1ym8uzU99LnNyY_MPyc8QXP5rC_XoyKki
You can configure NIOS so that a traffic capture may be triggered for parameters such as outgoing recursive queries, DNS latency, and recursive DNS latency. For more information see Enabling Automated Traffic Capture.
You can disable lazy loading that was originally implemented to improve memory performance and provide faster load time of objects using the following commands:
show disable_lazyload: Displays the status of lazy loading.
set disable_lazyload: Enables or disables the lazy loading of objects.
You can back up or schedule a backup of the reporting database to an SSH server that supports SCP. For more information, see Managing Reporting Data.
Whitelist sets have been updated. You can synchronize to obtain the latest version of whitelists by selecting the Updates > Configure Automatic Updates check box on the Threat Analytics tab.
You can now select multiple VLAN objects and edit them at a single instance. You can also delete only a VLAN range and not the VLAN objects that belong to the range. For more information, see the Configuring VLAN Objects and Configuring VLAN Ranges topics respectively.
You can use Grid Manager to create a new vDiscovery job for GCP (Google Cloud Platform). For more information, see Configuring vDiscovery Jobs.
set rpz_recursive_only command is set to
no, you can deselect the Enable Recursion check box even if the RPZ zone is configured as the Grid secondary. In a DNS view, if the
set rpz_recursive_only command is set to
no for one zone and not set to
no for another zone, then you cannot disable recursion. For more information, see Configuring DNS Views.
You can now enter a dot (.) in the Mail Exchanger field when creating an MX record. When you enter a dot, it means that the domain is a parked domain and will not receive or send email. For more information, see IPAM Task Pack.
NIOS 8.4 uses SAML (Security Assertion Markup Language) 2.0 authentication support for Single-Sign-On. By enabling SAML, user management is delegated to an external application, thus relieving IT administrators the complexity of maintaining user accounts in all the applications (also known as Service Providers) being used by the organization. Instead, IT administrators need to maintain one account in the Identity Provider (IDP), which can be used across Service Providers (SPs). IDP is the application server that maintains the user accounts of the entire organization. IT administrators can manage users access rights at one place. Users can login to the IDP directly and once logged in, they can be traverse towards the required SP without being prompted for the user ID and password. SAML helps NIOS delegate Identity Management to a third-party SSO application (IDP) and thereby eases administrative efforts.
For more information about SAML authentication, see the Authenticating Admins Using SAML topic.
The NIOS UI has been revamped with a lighter color scheme and an updated alignment of UI elements. This is to enhance visibility thereby offering a superior customer experience and at the same time retaining all existing functionality.
NIOS 8.4 contains the following security-related enhancements. All these enhancements can be performed only by a superuser:
NIOS 8.4 contains the following Network Insight enhancements:
NIOS 8.4 allows you to track the VLAN usage in your network, thereby allowing you to compare an assigned VLAN with VLANs discovered by Network Insight. You can then generate inventory and conflict reports based on this data.
For more information, see VLAN Management.
The OpenSSH package in NIOS 8.4 has been upgraded to OpenSSH_7.7p1.
Infoblox has introduced a new browser mechanism called HTTP Strict Transport Security (HSTS) to prevent an attacker from intercepting and modifying network traffic.
The audit log has been enhanced to contain more detailed WAPI session log information. The audit log will contain specific WAPI call URI, InData and response time for WAPI PUT, POST, and DELETE queries. For more information, see Monitoring Tools.
You can configure NIOS so that a traffic capture may be triggered at set intervals and parameters such as Cache Hit Ratio and Queries Per Seconds. You can then analyze the traffic capture data and use it to gather production data thus reducing the time taken for root cause analysis. You can also attach the traffic capture data to a support case so that Infoblox Support can take the investigation forward. For more information, see Enabling Automated Traffic Capture.
The NIOS web application has been enhanced to contain a few headers in the landing pages that will protect the website from CSRF (sometimes pronounced sea-surf) or XSRF. Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.
In addition to the relay agent IDs, NIOS also supports the Option 82 Link Selection and Server ID Override sub-options, which allow DHCPv4 to operate in a network architecture where direct communication between the DHCP server and DHCP client is undesirable or infeasible. These sub-options can direct DHCP traffic to go through the relay agent and have more control over your DHCP communications. For more information, see About the DHCP Relay Option (Option 82).
You can now set the dhcp6.rapid-commit (14) option at the network, network container, and shared network levels for IPv6 DHCP options.
You can now back up system files to an SCP server using Infoblox keys. Only the ECDSA and RSA keys are supported. For more information, see Backing Up and Restoring Configuration Files.
set tcp_timestamps and the
show tcp_timestamps commands have been introduced to determine the status of the TCP timestamps. For more information, see the set tcp_timestamps and show tcp_timestamps topics.
NIOS now supports BIND version 9.11.
NIOS now supports a new resource record named Unknown Record. You can define a DNS resource record of an arbitrary type as an Unknown record. NIOS converts the Unknown record to the record type you assign. For more information, see Managing Resource Records.
NIOS now runs in a lightweight runtime Docker container hosted on Alpine Linux.
NIOS is now supported on the Google Cloud platform.
You can now set the prefix length mode for DHCPv6 servers. The prefix length mode determines the prefix selection rules employed by the DHCPv6 server when a DHCPv6 client sends an empty prefix with just a prefix length as a hint for the server to specify the required prefix length. For information about the prefix length mode options available, see Setting the Prefix Length Mode for DHCPv6.
Infoblox enables you to capture traffic for a single member or multiple Grid members simultaneously. For more information, see Monitoring Tools.
NIOS 8.4 introduces the following enhancements for the Ecosystem feature:
As per the enhancement, members that are not selected for health checks are not considered when calculating the health status. Only those members that are in the consolidated list, perform the local health check and share the health status across members that are in the non-selected list but are still a part of the DTC pool.
The application is enhanced to display warning messages at the zone, view, network and member levels while deleting and disabling objects to avoid accidental deletion. Similarly, warning messages are displayed while recovering zones, views, and network objects indicating that the process might take a longer time if the amount of data is huge. For more information, see Configuring IPv4 Networks.
A NIOS command has been enhanced to parse the database and remove unwanted abandoned leases.
The proxy server has been enhanced to send API requests from the:
For more information, see Configuring Proxy Servers.
The following two CLI commands that allow you to configure the RPZ recursive-only statement at the zone level or the view-level have been introduced:
set rpz_recursive_only zone_nameor
set rpz_recursive_only view_name
show rpz_recursive_only zone_nameor
show rpz_recursive_only view_name
You can now choose an interface, instead of the default MGMT or LAN1 interface, to send SNMP traps to the trap receivers. This is valid for both Grid member and a standalone Grid. For more information, see Defining Interfaces for SNMP Traps.
A new option is added to disable generation of name server records in a parent authoritative zone that has a subzone, which is conditionally forwarded. The NIOS appliance will not generate name server records and deletes the existing records from the parent authoritative zone when this check box is selected. For more information, see Configuring a Forward Zone.
The subscriber cache in DNS Cache Acceleration has been enhanced to include the Local ID (client_id) for IB-4030 and IB-FLEX appliances. For more information, see Configuring Infoblox Subscriber Insight and Subscriber Policy Enforcement.
You can now configure the email address from which to send email notifications in the From Email Address field. For more information, see Notifying Administrators.
NIOS now supports the integration with Cisco Identity Services Engine (ISE) version 2.4.
NIOS now supports the Cloud Platform appliance on the following platforms: CP-V805, CP-V1405, CP-V2205
You can perform a GCP vDiscovery job to detect and obtain information about virtual entities and interfaces in the GCP. You can discover tenants, subnets, VPCs, and workload VMs through Infoblox vDiscovery for GCP. Infoblox vDiscovery for GCP is available only to Beta customers.
set subscriber_secure_data never_proxyand the
show subscriber_secure_data never_proxyCLI commands. You can use these commands to set and view the hexadecimal characters that represent the list of categories in the global list used to resolve DNS queries without proxying to an MSP (Multi-Services Proxy) server. For more information, see the set subscriber_secure_data never_proxy and the show subscriber_secure_data never_proxy topics.
Proxy-Allsetting to 1 to have DNS queries processed by NIOS. The MSP server will process the queries only if NIOS is unable to categorize the DNS queries.
Support for termination of all user connections traversing Multi-Services Proxy (MSP) upon activation of the block-all Parental Control Policy (PCP), or any PCP change for subscribers behind the home gateway (CPE) when identified by the EDNS0 local ID. You can re-establish connections depending on the new PCP value.
To support proxy subscribers, the configuration must first resolve locally by ensuring that
127.0.0.1 is the first in the list of resolves. You can do this either globally through Grid DNS properties -> DNS Resolver, or locally through Member DNS properties -> DNS Resolver.
DCA first: You can now configure NIOS such that DNS queries and packets are first passed on to DNS Cache Acceleration (DCA). If the query is valid and the answer is in the cache, the query is answered by DNS Cache Acceleration. To configure this, you must select the Enable DNS responses from acceleration cache before applying Threat Protection rules check box. For more information, see Handling DNS Queries Through DNS Cache Acceleration.
The IB-FLEX platform is now supported on AWS. For more information, see About IB-FLEX.
NIOS supports the following new CLI commands to change the IP address of the Docker bridge when DNS forwarding proxy is enabled on a member:
set docker_bridge: This command changes the current Docker bridge IP address to the IP address that you specify.
show docker_bridge: This command displays the current Docker bridge settings.
NIOS now generates a unique session ID and rejects incoming requests that do not have the unique ID. Browser security headers are added to avoid MITM, CSRF, XSS, and MIME attacks.
This page has no comments.