Page tree

Contents

DNS queries and responses sent over port 53 without encryption are vulnerable to spoofing and eavesdropping. This issue is addressed in NIOS appliances that have DNS over TLS (Transport Layer Security) and DNS over HTTPS services enabled. These features encrypt DNS queries and responses to secure communication between a DNS server and a DNS client.

This topic details the requirements that NIOS appliances must meet for enabling the DNS over TLS and DNS over HTTPS services and has instructions to configure these services. The sections covered in this topic are as follows:

Licensing and Certificate Requirements

DNS over TLS and DNS over HTTPS require the vDCA (virtual DNS Cache Acceleration) or vADP (virtual Advanced DNS Protection) service to be licensed and enabled. If the vDCA and/or the vADP services are not enabled, the DNS over TLS and DNS over HTTPS features will not work even if they are enabled. For more information about vDCA and vADP, see Configuring DNS Cache Acceleration and About Infoblox Advanced DNS Protection respectively. 

The DNS over TLS or the DNS over HTTPS service uses the same self-signed certificate that NIOS generates for HTTPS communication when it first starts. You can also generate a certificate signing request (CSR) and use it to obtain a signed certificate from your own trusted certificate authority (CA). For more information, see Generating Certificate Signing Requests.

The certificate is provisioned for each member. For more information about certificates, see Managing Certificates.

Note

NIOS generates a new self-signed certificate when the host name or the IP address of the member is changed or when a Grid Master Candidate is promoted. If the DNS over TLS or DNS over HTTPS feature is enabled on a member, then every time a new self-signed certificate, HTTPS certificate, or a CA certificate is generated, the DNS over TLS service or the DNS over HTTPS service (depending on which feature is enabled) automatically restarts to upload the new certificate.

Base Configuration Requirements

NIOS appliances must have the required base memory configuration to enable the DNS over TLS and the DNS over HTTPS features on their members. If the appliances do not meet the required criteria, the options to configure these features are not displayed in the Member DNS Properties editor. The following table lists the base configuration required for enabling these features:

Memory ConfigurationTotal CPUTotal Virtual Memory in GB (With virtual Advanced DNS Protection only)Total Virtual Memory in GB (With virtual DNS Cache Acceleration and virtual Advanced DNS Protection)Maximum Number of Concurrent Sessions SupportedGrid Master Capable

Small
recursive DNS (with acceleration)

10

32

32

For vDCA only: 120,000

For vADP only: 50,000

For vDCA and vADP: 120,000

No

Medium
recursive DNS (with acceleration)

16

64

40

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

No

Large
recursive DNS (with acceleration)

26

80

50

For vDCA only: 240,000

For vADP only: 80,000

For vDCA and vADP: 240,000

No

The following table lists the maximum number of concurrent sessions supported by different NIOS appliance models (physical and virtual). For information about CPU and memory requirements, see the 

NIOS Appliance
(Physical and Virtual)

Maximum Number of Concurrent Sessions Supported
IB-14x5For vADP only: 50,000
IB-22x5

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

IB-40x5

For vDCA only: 240,000

For vADP only: 80,000

For vDCA and vADP: 240,000

Note

In an HA setup, ensure that both the active and passive nodes have the memory configuration required to enable the DNS over TLS or the DNS over HTTPS feature. If you enable the feature on an active node that has the required memory footprint but the passive node does not, then in case of a failover, the DNS over TLS or the DNS over HTTPS service does not start on the new active node. Therefore, requests coming to the DNS over TLS or the DNS over HTTPS stream are not honored.

Configuration Requirements if Parental Control is Enabled

NIOS appliances require additional memory if you intend to run DNS over TLS and/or DNS over HTTPS along with the Parental Control features such as proxy RPZ passthru, DCA subscriber query count logging, and DCA subscriber allowed and blocked listing simultaneously. The following table lists the base configuration required for configuring these features simultaneously:

Memory ConfigurationTotal CPUTotal Virtual Memory in GB (With virtual DNS Cache Acceleration only)Total Virtual Memory in GB (With virtual DNS Cache Acceleration and virtual Advanced DNS Protection)Maximum Number of Concurrent Sessions SupportedGrid Master Capable

Medium
recursive DNS (with acceleration)

16

64

64

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

No

Medium-Large
recursive DNS (with acceleration)

16

86

86

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

No

Large
recursive DNS (with acceleration)

26

100

100

For vDCA only: 240,000

For vADP only: 80,000

For vDCA and vADP: 240,000

No

Note

When the NIOS appliance does not have the required base memory configuration, if you try to enable and run DNS over TLS, DNS over HTTPS, and Parental Control features simultaneously, all of these features will be disabled. 

Limitations and Recommendations for DNS over TLS and DNS over HTTPS

Consider the following limitations and recommendations when you enable the DNS over TLS and/or the DNS over HTTPS features:

  • If an appliance configured with DNS over TLS or DNS over HTTPS has both vDCA and vADP running, the configuration is set to the DCA-first mode.
  • Infoblox recommends that you manually set the maximum packet size of both the UDP buffer and the EDNS buffer to 4096 bytes. If the packet size exceeds 4096, packets are dropped by the DNS over TLS or the DNS over HTTPS server. For more information about setting buffer sizes, see Configuring the EDNS0 Buffer Size and UDP Buffer Size.
  • DNS over TLS and DNS over HTTPS features are not supported on unbound-based DNS servers.
  • When DNS over TLS or DNS over HTTPS is enabled, queries decrypted at DNS over TLS or DNS over HTTPS that do not receive a response from the vDCA cache are forwarded to the recursive DNS engine over UDP. Therefore, rules added for TCP requests over TLS or HTTPS may not be honored. Infoblox recommends that you add the corresponding UDP-specific rules instead of only the TCP request rules.
  • DNS over TLS only:
    • The TLS versions that are currently supported by NIOS are TLS 1.2 and TLS 1.3.
    • DNS over TLS supports queries and responses from both DNS and vDCA services.
    • DNS over TLS is not supported for recursive queries when performing upstream lookups.
    • DNS zone transfer requests over DNS over TLS are not supported.
    • EDNS0 padding for TSIG responses is not supported.
    • For DNS over TLS clients that use systemd-resolved service, the Subject Alternative Name (SAN) must point to the IP address of the DNS service. By default, the self-signed certificates issued to Infoblox members do not meet this requirement. Therefore, for Infoblox to support systemd-resolved, you must install certificates that include SAN IP address from a trusted certificate authority.
  • DNS over HTTPS only:
    • DNS over HTTPS is supported on the HTTP/2 protocol.
    • DNS over HTTPS is supported only if the NIOS appliance has an MGMT interface set up. The DNS over HTTPS module listens on port 443 for interfaces other than MGMT and any incoming UI request to the MGMT interface is bypassed directly to the host.
    • When DNS over HTTPS is enabled on a member, HTTP redirection from the member to its Grid Master is disabled.

DNS over TLS

NIOS appliances that support vDCA or vADP include the DNS over TLS capability that helps increase DNS security and privacy. When you enable the DNS over TLS feature, DNS traffic is encrypted through the TLS protocol to prevent eavesdropping and tampering of DNS data. This feature is supported on both recursive and authoritative DNS servers only through port 853. It is available only for Grid members and for standalone systems. It supports the processing of multiple DNS queries/responses over a single TLS session.

You can configure and run the DNS over TLS service on a member only when the following prerequisites are met:

  • Either the accelerated DNS Cache Acceleration (vDCA) or the accelerated Threat Protection (vADP) service is enabled.
  • The memory required to support the DNS over TLS feature is available. For more information, see Base Configuration Requirements.

Configuring DNS over TLS

To configure the DNS over TLS feature, complete the following steps:

  1. Grid member: On the Data Management tab, click the DNS tab -> Members tab, select the member check box, and then click the Edit icon.
    Standalone system: On the Data Management tab, click the DNS tab, expand the Toolbar, and then click System DNS Properties.
  2. In the Member DNS Properties editor/System DNS Properties editor, click Toggle Advanced Mode if the editor is in basic mode.
  3. On the Queries tab, select the Enable DoT Service check box to enable the DNS over TLS feature.

    Note

    The options for DNS over TLS feature are displayed only if the appliance has the memory footprint that is required to support the feature and has the vDCA or vADP license installed. For more information, see Base Configuration Requirements.

  4. In the Maximum Session Duration field, specify the maximum time in seconds a session can remain idle before it times out and closes. The default value is 60 seconds.
  5. Save the configuration.
  6. As prompted, manually restart the member to enable the DNS over TLS feature.

    Note

    The DNS over TLS feature will not take effect until you restart the member and ensure that either the vDCA or vADP service is running after the restart.

Supported Cipher Suites

The DNS over TLS feature supports all cipher suites supported for TLS 1.2 and TLS 1.3. For the list of cipher suites, refer to the following links:

CLI Support for DNS over TLS

You can view the status of the DNS over TLS service, configuration, and details of active sessions using the following commands:

DNS over HTTPS

NIOS appliances that support vDCA or vADP include the DNS over HTTPS capability that helps increase DNS security and privacy. When you enable the DNS over HTTPS feature, DNS traffic is encrypted through the HTTPS protocol to prevent eavesdropping and tampering of DNS data. This feature is supported on both recursive and authoritative DNS servers only through port 443. It is available only for Grid members and standalone systems. The feature supports the processing of multiple DNS queries/responses over a single TCP session.

You can configure and run the DNS over HTTPS service on a NIOS appliance only when the following prerequisites are met:

  • An MGMT interface is set up.
  • The memory required to support the DNS over HTTPS feature is available. For more information, see Base Configuration Requirements.
  • Either the accelerated DNS Cache Acceleration (vDCA) or the accelerated Threat Protection (vADP) service is enabled.

Configuring DNS over HTTPS

To configure the DNS over HTTPS feature, complete the following steps:

  1. Grid member: On the Data Management tab, click the DNS tab -> Members tab, select the member check box, and then click the Edit icon.
    Standalone system: On the Data Management tab, click the DNS tab, expand the Toolbar, and then click System DNS Properties.
  2. In the Member DNS Properties editor/System DNS Properties editor, click Toggle Advanced Mode if the editor is in basic mode.
  3. On the Queries tab, select the Enable DoH Service check box to enable the DNS over HTTPS feature.

    Note

    The options for DNS over HTTPS feature are displayed only if the appliance has the memory footprint that is required to support the feature and has the vDCA or the vADP license installed. For more information, see Base Configuration Requirements.


  4. In the Maximum Session Duration field, specify the maximum time in seconds a session can remain idle before it times out and closes. The default value is 10 seconds.
  5. Save the configuration.
  6. As prompted, manually restart the member to enable the DNS over HTTPS feature.

    Note

    The DNS over HTTPS feature will not take effect unless you restart the member and ensure that either the vDCA or vADP service is running after the restart.

Configuring DNS over HTTPS in Firefox

If you are using the developer version of the Firefox browser to initiate DNS queries, you must configure additional settings in the browser to enable the DNS over HTTPS support. Complete the following steps in Firefox to enable DNS over HTTPS and upload certificates:

  1. In the Network Settings section, click Settings and complete the following steps to set the Grid IP address as the custom DNS over HTTPS server:
    1. In the Connection Settings dialog box select the Enable DNS over HTTPS check box.
    2. From the Use Provider drop-down list, choose Custom.
    3. In the Custom field, enter the Grid IP address in the format:
      https://<dns-server>/dns-query
  2. Set the network.trr.mode preference in the configuration editor as follows:
    1. Enter about:config in the Firefox address bar.
    2. Click Accept the Risk and Continue to open the configuration editor.
    3. Search for network.trr.mode.
    4. Click the Edit icon and set the value to 3.
  3. If you are using a self-signed certificate, complete the following:
    1. From the address bar, open https://<doh_server_IP>.
    2. Accept the certificate.
  4. If you are using a CA certificate, complete the following:
    1. Go to Preferences/Options -> Privacy and Security -> View Certificates -> Authorities -> Import.
    2. Choose the certificate.
    3. When prompted, select the Trust this CA to identify websites check box, and restart the browser.

Note

For a member with vDCA running and the DNS over HTTPS feature enabled, if you use the developer version of the Firefox browser (configured for DNS over HTTPS support) to initiate DNS queries, you must set the network.trr.disable-ECS preference in the configuration editor (about:config) to false for DNS data to be cached. DNS caching does not work if network.trr.disable-ECS is set to true.

Supported Cipher Suites

Supported cipher suites for the DNS over HTTPS feature are as follows:

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256

CLI Support for DNS over HTTPS

You can view the status of the DNS over HTTPS service, configuration, and details of active sessions using the following commands:


  • No labels

This page has no comments.