Page tree

Contents

The Infoblox Subscriber Services provides a scalable, enterprise-grade solution that provides visibility to subscriber activities and complete filtering capabilities by combining advanced DNS services with subscriber identification, threat protection policies, and MSP (Multi-Service Proxy). The Infoblox Subscriber Services solution includes the following:

  • Infoblox Subscriber Insight - Infoblox Subscriber Insight automates the process of identifying infected subscriber devices that are trying to connect to malicious domains. This solution augments the malware incident logs with the subscriber identity information received via RADIUS accounting messages and generates a report to display RPZ violations per subscriber ID. You can also identify subscribers who access specific domains for purposes other than security.
  • Infoblox Subscriber Policy Enforcement - Infoblox Subscriber Policy Enforcement enables the selection of applicable policies for the subscriber. Policies are any combinations of RPZs. You can use this product to create value-added service plans or packages for different subscribers.
  • Infoblox Subscriber Parental Control - Infoblox Subscriber Parental Control enables subscribers to manage Internet access and content for their mobility devices, houses, families, or corporations. Subscribers can restrict or allow access to content based on content categories and domains.

Note

When you define an access control list (ACL) for allow_query or match_clients, Infoblox recommends that you add the "169.254.252.12" and "FC::3" addresses part of the ACL as allow-list to support the Pre-fetch parental control policy. This is mandatory when a subscriber service policy is enabled.

Limitations of Multi-Service Proxy

  • Every 20 seconds, the Multi-Service Proxy closes the TCP idle connection as a security feature.
  • When the client connection status is displayed as connected to a Multi-Service Proxy, the PXY_ALL responses are from DNS Cache Acceleration. When the client connection status is displayed as disconnected, the first PROXY-ALL request is sent to the BIND server and all subsequent requests (< 20 seconds idle time) are from DNS Cache Acceleration. To check the PXY-ALL status, use the fp-cli fp ib_dca get pxyall_hash_stat CLI command.
  • If the subscriber secure site has at least one IPv6 Multi-Service Proxy, then the principal proxy address at DNS Cache Accleration will always be an IPv6 address. This is due to IPv6 address rotation first and then IPv4 address rotation for proxy-cname in getaddrinfo .
  • Subscribers are not allowed to use an IPv6 Multi-Service Proxy until the start of the next RADIUS session allocation. 
  • A maximum of eight Multi-Service Proxies are supported by virtual DNS Cache Acceleration for a subscriber site.

This section includes the following topics: