Page tree

Contents

In this example, you will configure the NIOS appliance as a primary DNS server for corpxyz.com. Its FQDN (fully-qualified domain name) is ns1.corpxyz.com. The interface IP address of the LAN1 port is 10.1.5.2/24. Because this is a private IP address, you must also configure the firewall to perform NAT (network address translation), mapping the public IP address 1.1.1.2 to 10.1.5.2. Using its public IP address, ns1 can communicate with appliances on the public network.

The FQDN and IP address of the external secondary DNS server are ns2.corpxyz.com and 2.2.2.2. The ISP hosts this server. You can deploy NIOS appliance in IPv4, IPv6, or dual mode (IPv4 and IPv6), but the configuration example uses IPv4 addresses.

The primary and secondary servers answer queries for the following public-facing servers in the DMZ:

  • www.corpxyz.com
  • mail.corpxyz.com
  • ftp.corpxyz.com

When you create the corpxyz.com zone on the NIOS appliance, you import zone data from the legacy DNS server at 10.1.5.3.

Figure 6.5 Example 1 Network Diagram

Cabling the Appliance to the Network and Turning On Power

Connect an Ethernet cable from the LAN1 port of the NIOS appliance to a switch in the DMZ network and turn on the power. For information about installing and cabling the appliance, refer to the user guide or installation guide that ships with the product.

Specifying Initial Network Settings

Before you can configure the NIOS appliance through Grid Manager, you must be able to make a network connection to it. The default network settings of the LAN1 port are 192.168.1.2/24 with a gateway at 192.168.1.1 (the HA and MGMT ports do not have default network settings). To change these settings to suit your network, use either the LCD or the console port.

In this example, you change the IP address/netmask of the LAN1 port to 10.1.5.2/24, and the gateway to 10.1.5.1.

LCD

The NIOS appliance has an LCD and navigation buttons on its front panel.

At startup, the Infoblox logo appears in the LCD on the front panel of the appliance. Then the LCD scrolls repeatedly through a series of display screens.

  1. To change the network settings from the default, press one of the navigation buttons.
    The LCD immediately goes into input mode, in which you can enter the IP address, netmask, and gateway for the LAN1 port.
  2. Use the navigation buttons to enter the following information:
    • IP Address: 10.1.5.2
    • Netmask: 255.255.255.0
    • Gateway: 10.1.5.1

Specifying Appliance Settings

When you make the initial HTTPS connection to the NIOS appliance, the NIOS Startup Wizard guides you through the basic deployment of the appliance on your network. Use the wizard to enter the following information:

  • Deployment: single independent appliance
  • Host name: ns1.corpxyz.com
  • Password: SnD34n534
  • NTP (Network Time Protocol) server: 10.120.3.10; time zone: (UMT – 8:00 Pacific Time (US and Canada), Tijuana


  1. Open an Internet browser window and enter https://10.1.5.2.
  2. Accept the certificate when prompted.
    Several certificate warnings may appear during the login process. This is normal because the preloaded certificate is self-signed and has the hostname www.infoblox.com, which does not match the destination IP address you entered in step 1. To stop the warning messages from occurring each time you log in to Grid Manager, you can generate a new self-signed certificate or import a third-party certificate with a common name that matches the FQDN (fully-qualified domain name) of the appliance. This is a very simple process. For information about certificates, see Creating a Login Banner.
  3. Enter the default username and password (admin and infoblox) on the Grid Manager login page, and then click Login or press ENTER. For information, see Logging on to the NIOS UI.
  4. Read the Infoblox End-User License Agreement, and then click I Accept to proceed.
  5. Read about the Infoblox Customer Experience Improvement Program and choose whether to participate (opt in) or not participate (opt out) in the program. By default, participation is enabled. If you want to opt out of the program, select To Opt-Out of the alert program, please click hereFor more information about the program, see Configuring the Customer Experience Improvement Program.
  6. Click OK. Grid Manager may take a few seconds to load your user profile.
  7. In the first screen of the NIOS Startup wizard, complete the following:
    • Type of Network Connectivity: Select IPv4 from the drop-down list.
    • Are you configuring an HA pair or a standalone appliance?: Select Configuring a standalone appliance. To configure an independent HA pair, see Deploying an Independent HA Pair.
  8. Click Next and complete the following to configure network settings:
    • Host Name: Enter ns1.corpxyz.com.
    • Ports and Addresses: Specify the network settings for LAN1 (IPv4) port.
      Enter correct information for the following by clicking the field:
      • IP Address: Enter 10.1.5.2 as the IPv4 address for the LAN1 port.
      • Subnet Mask (IPv4) or Prefix Length (IPv6): Enter 255.255.255.0 as the subnet mask for the LAN1(IPv4) port.
      • Gateway: Enter 10.1.5.1 as the gateway of the subnet on which the LAN1 port is set.
      • Port Settings: Use the default value Automatic.
  9. Click Next and complete the following to set admin password:
    • Would you like to set admin password?: Click Yes.
    • Password: Enter SnD34n534.
    • Retype Password: Enter SnD34n534 again.
  10. Click Next and complete the following to configure the time settings:
    • Time Zone: Select UMT – 8:00 Pacific Time (US and Canada), Tijuana from the drop-down list.
    • Would you like to enable NTP?: Select Yes to synchronize the time with external NTP servers, and then click the Add icon. Grid Manager adds a row to the NTP Server table. Click the row and enter 10.120.3.10 in the NTP Server field.
  11. Click Next to view the summary of the configuration. Review the information and verify that it is correct. You can change the information you entered by clicking Previous to go back to a previous step.
  12. Click Finish.

Enabling Zone Transfers on the Legacy Name Server

To allow the appliance to import zone data from the legacy server 10.1.5.3, you must configure the legacy server to allow zone transfers to the appliance at 10.1.5.2.

Legacy BIND Server

  1. Open the named.conf file using a text editor and change the allow-transfer statement as shown below:
    • For All Zones — To set the allow-transfer statement as a global statement in the named.conf file for all zones:
      options {
      zone-statistics yes;
      directory "/var/named/named_conf"; version "";
      recursion yes;
      listen-on { 127.0.0.1; 10.1.5.3; };

      allow-transfer {10.1.5.2; }; transfer-format many-answers;
      };

    • For a Single Zone — To set the allow-transfer statement in the named.conf file for the corpxyz.com zone:
      zone "corpxyz.com" in { type master;
      allow-transfer {10.1.5.2;};
      notify yes;
      };
  2. After editing the named.conf file, restart DNS service on the appliance for the change to take effect.

Legacy Windows 2000/2003 Server

  1. Click Start -> All Programs -> Administrative Tools -> DNS.
  2. Click + (for ns1) -> + (for Forward Lookup Zones) -> corpxyz.com.
  3. Right-click corpxyz.com, and then select Properties -> Zone Transfers.
  4. On the Zone Transfers page in the corpxyz.com Properties dialog box, enter the following:
    • Allow zone transfers: Select this.
    • Only to the following servers: Select this.
    • IP address: Enter 10.1.5.2, and then click Add.
  5. To save the configuration and close the corpxyz.com Properties dialog box, click OK.

Importing Zone Dat a on an Independent Appliance

You can import zone data from a legacy server or manually enter it. When you import both forward-mapping and reverse-mapping zone data, the NIOS appliance automatically creates Infoblox host records if corresponding A and PTR records are present. You can then modify the host records to add MAC addresses. However, if you only import forward-mapping zone data, the NIOS appliance cannot create host records from just the A records. In that case, because you cannot later convert A records to host records, it is more efficient to create the corpxyz.com zone, and define host records manually.

Infoblox host records are data models that represent IP devices within the Infoblox semantic database. The NIOS appliance uses a host object to define A, PTR, and CNAME resource records in a single object, as well as a DHCP fixed address if you include a MAC address in the host object definition. The host object prevents costly errors because you only maintain a single object for multiple DNS records and a DHCP fixed address. Therefore, it is advantageous to use host records instead of separate A, PTR, and CNAME records.

Note

If you only have forward-mapping zones on your legacy servers and you want to add reverse-mapping zones, automatically convert A records to host records in the imported forward-mapping zones, and create reverse host records in corresponding reverse-mapping zones, create the reverse-mapping zones on the NIOS appliance and then import the forward-mapping zones data. The NIOS appliance automatically converts the imported A records to host records in the forward-mapping zones and creates reverse host records in the reverse-mapping zones.

You also have the option of using the Data Import Wizard for loading DNS and DHCP data. For large data sets, this option is an efficient approach. To download the Data Import Wizard, visit www.infoblox.com/import/.

In this example, when you create the corpxyz.com forward-mapping zone, you import zone data for the existing corpxyz.com zone from the legacy server at 10.1.5.3. When you create the 1.1.1.0/24 reverse-mapping zone, you also import the reverse-mapping zone records from the legacy server. After the appliance has both the forward- and reverse-mapping zone data, it converts the A and PTR records to Infoblox host records.

Creating a Name Server Group

  1. Open an Internet browser window, enter https://10.1.5.2, and then log in to Grid Manager using the username admin and password SnD34n534.
  2. From the Data Management tab, select the DNS tab -> Name Server Groups tab, and then click the Add icon -> Name Server Group.
  3. In the Name Server Group wizard, complete the following:
    • Name: Enter corpxyz as the group name.
    • Name Servers: Click the Add icon -> Primary.
    • In the Add Primary section, Grid Manager displays the host name of the independent appliance. Click Add.
      Grid Manager adds the independent system as the primary server.
    • Click the Add icon -> External Secondary.
    • In the Add External Secondary section, complete the following:
      • Name: Enter ns2.corpxyz.com.
      • Address: Enter 2.2.2.2.
      • Stealth: Clear this checkbox.
      • Click Add. Grid Manager adds the external secondary to the name server group.
  4. Save the configuration and click Restart if it appears at the top of the screen.

Creating a Forward-Mapping Zone

Note

To import zone data, you must first create a zone and save it.


  1. To create an authoritative zone, from the Data Management tab, select the DNS tab -> Zones tab, and then click the Add icon -> Authoritative Zone.
  2. In the Add Authoritative Zone wizard, select Add an authoritative forward-mapping zone.
  3. Click Next and complete the following:
    • Name: Enter corpxyz.com.
    • Comment: Enter DNS zone.
  4. Click Next to assign a name server group to the zone.
  5. Click the Zones tab, select the corpxyz.com checkbox, and then click the Edit icon.
  6. In the Authoritative Zone editor, select the Name Servers tab, and then complete the following:
    • Use this name server group: Select this, and then select corpxyz from the drop-down list.
  7. Save the configuration and click Restart if it appears at the top of the screen.

Importing Zone Data

  1. To import zone data to the corpxyz.com zone that you created earlier, click the Zones tab, select the corpxyz.com checkbox, and then click Import Zone from the Toolbar.
  2. In the Import Zone editor, complete the following:
    • Address: Enter the IP address 10.1.5.3 of the DNS server from which you want to import zone data.
    • Create Hosts and Bulk Hosts during import: Select this option to allow the appliance to merge imported records into hosts and bulk hosts. If you do not select this option, then resource records are imported one-to-one with each DNS record from the imported zone producing a corresponding DNS record on the NIOS appliance.
      • Create PTR records for Hosts if necessary: Select this to create host records from the imported address records, even if the corresponding PTR records or the authoritative reverse zones that would contain them, do not exist. If you do not select this option, then host records will be created for imported address records only if a corresponding PTR record exists.
      • Create PTR records for Bulk Hosts if necessary: Select this to create bulk host records from the imported address records, even if the corresponding PTR records or the authoritative reverse zones that would contain them, do not exist. If you do not select this option, then bulk host records will be created for the imported address records only if the corresponding PTR records exist.
  3. Click Import.
  4. After successfully importing the zone data, click corpxyz.com in the Zones tab.
    You can see all the imported forward-mapping zone data in the Records panel. Because you have not yet imported the reverse-mapping zone data, most of the records appear as A records.
  5. To import the reverse-mapping zone data, from the Zones tab, click the Add icon -> Authoritative Zone.
  6. In the Add Authoritative Zone wizard, select Add an authoritative IPv4 reverse-mapping zone.
  7. Click Next and complete the following:
    • IPv4 Network: Enter 1.1.1.0.
    • Netmask: Select 24 from the drop-down list.
    • Comment: Enter Reverse-mapping zone.
  8. Click Save & Close.
  9. To assign a name server group to the reverse-mapping zone, click the Zones tab, select the 1.1.1.in-addr.arpa checkbox, and then click the Edit icon.
  10. In the Authoritative Zone editor, select the Name Servers tab, and then complete the following:
    • Use this name server group: Select this, and then select corpxyz from the drop-down list.
  11. Click Save & Close.
  12. To import reverse-mapping zone data, click the Zones tab, select the corpxyz.com checkbox, and then click Import Zone from the Toolbar.
  13. In the Import Zone editor, complete the following:
    • Address: Enter the IP address 10.1.5.3 of the DNS server from which you want to import zone data.
  14. Click Import.
  15. After successfully importing the zone data, click 1.1.1.in-addr.arpa on the Zones tab. You can see all the imported reverse-mapping zone data in the Records panel.
  16. Click corpxyz.com in the Forward Mapping Zones list.
    Because you have now imported both the forward- and reverse-mapping zone data, most of the records appear as host records.
  17. Finally, you must remove the ns1 host record for the legacy server (value 1.1.1.3). To remove it, select the ns1 checkbox (the host record for 1.1.1.3), and then click the Delete icon.

Designating the New Primary on the Secondary Name Server (at the ISP Site)

In this example, the external secondary name server is maintained by an ISP, so you must contact your ISP administrator to change the IP address of the primary (or master) name server. (If you have administrative access to the secondary name server, you can make this change yourself.)

Because a firewall performing NAT exists between the secondary and primary name servers, specify the NAT address 1.1.1.2 for the primary name server instead of 10.1.5.2.

Secondary BIND Server

  1. Open the named.conf file using a text editor and set ns1 (with NAT address 1.1.1.2) as the primary from which ns2 receives zone transfers in the named.conf file for the corpxyz.com zone.
  2. After editing the named.conf file, restart DNS service for the change to take effect.

Secondary Windows 2000/2003 Server

  1. Click Start -> All Programs -> Administrative Tools -> DNS.
  2. Click + (for ns2) -> + (for Forward Lookup Zones) -> corpxyz.com.
  3. Right-click corpxyz.com, and then select Properties -> General.
  4. On the General page in the corpxyz.com Properties dialog box, enter the following:
    • Zone file name: corpxyz.com.dns
    • IP address: Enter 1.1.1.2 and then click Add.
    • In the IP Address field, select 1.1.1.3 (the NAT IP address of the legacy DNS server), and then click Remove.
  5. To save the configuration and close the corpxyz.com Properties dialog box, click OK.

Configuring NAT and Policies on the Firewall

Change the NAT and policy settings on the firewall to allow bidirectional DNS traffic to and from ns1.corpxyz.com and NTP traffic from ns1.corpxyz.com to the NTP server at 10.120.3.10.

For example, enter the following commands on a Juniper firewall running ScreenOS 4.x or later:

set address dmz ns1 10.1.5.2/32
set address untrust ntp_server 10.120.3.10/32 set interface ethernet1 mip 1.1.1.2 host 10.1.5.2 set policy from dmz to untrust ns1 any dns permit
set policy from untrust to dmz any mip(1.1.1.2) dns permit set policy from dmz to untrust ns1 ntp_server ntp permit

At this point, the new DNS server can take over DNS service from the legacy server. You can remove the legacy server and unset any firewall policies permitting traffic to and from 10.1.5.3.

This page has no comments.