The NIOS 8.5 release includes the following new features and enhancements:
Displaying the Correct Cloud Platform Types (RFE-11596)
The Grid Manager > Members tab now displays two new columns: Host Platform and Hypervisor. These columns respectively display the platform or the virtual platform on which NIOS is running and the hypervisor of the appliance.
The values of the host platform and hypervisor are also displayed in the output of the
show hardware-type CLI command.
For information about the command, see the show hardware-type topic.
IPv6 Support for Subscriber Services (RFE-10975)
Subscriber services now support IPv6 address types. You can now run subscriber services and send RADIUS message communication on IPv4, IPv6, and dual-mode (IPv4+IPv6) devices. NIOS now also supports proxy API calls and expire profile API calls over IPv6 to MSPs and SPMs respectively. However, the MSP/SPM in version 220.127.116.11 do not yet support IPv6.
Support for SafeNet Luna SA 7 (RFE-10477)
NIOS now supports SafeNet Luna SA 7 devices.
DHCPv6 Option Filters (RFE-9401)
You can now configure DHCPv6 option filters using the Data Management > DHCP > Filters > IPv6 Option Filter option. The Filters tab now displays the filter type and you can associate DHCPv6 option filters with these IPv6 objects IPv6 network, IPv6 range, IPv6 network container, IPv6 shared network, IPv6 fixed address, IPv6 network template, IPv6 range template, IPv6 fixed address template, Grid DHCP, Member DHCP properties.
For more information, see Configuring Option Filters topic.
NAC Authentication Messages in Syslog (RFE-10028)
Network Access Control or RADIUS messages related to DHCP authentication are now part of syslog logging.
Bypass Subscriber Services (RFE-10709)
This release of NIOS introduces the following new commands to stop subscriber services and parental control for incoming DNS queries, thus bypassing subscriber service policies:
set subscriber_secure_data bypass: Configures bypass subscriber service policies on all members of each site on the Grid, or bypassing policies on a local member.
show subscriber_secure_data bypass: Allows you to view the status of the subscriber data bypass for all members of each site on the Grid, or a local member.
The existing CLI commands have been redesigned and old parameters are changed with new parameters. For more information about the syntax, arguments, and examples of these commands, see the set subscriber_secure_data bypass and the show subscriber_secure_data bypass topics.
Multi-Grid Master and Sub Grid Synchronization (RFE-7653)
You can now configure the way in which Multi-Grid Master gathers updates from its connected sub Grids. You can choose the communication mode of the Master Grid to be sub Grid initiated or MGM initiated. If you choose sub Grid initiated, synchronization takes place from the sub Grid to the Multi-Grid Master. If you choose MGM initiated, synchronization takes place from sub Grid to Multi-Grid Master but the synchronization process is triggered by MGM.
For more information about the communication modes, see the Multi-Grid Manager Administrator Guide at https://docs.infoblox.com
Allow Query Domain ACL (RFE-6181)
You can now add, update, or delete an allow query domain ACL for the domian of a DNS view. Allow query domain is an ACL that allows or denies a client request for query access to a domain. The following new CLI commands have been introduced:
set allow_query_domain: Adds, updates, or deletes an allow query domain ACL for the domain of a DNS view.
show allow_query_domain: Displays the list of all domain names in the DNS view specified or its default DNS view.
show allow_query_domain_views: Displays the list of DNS views that have allow query domain ACLs configured.
For more information about the syntax, arguments, and examples of these commands, see the set allow_query_domain, show allow_query_domain, and show allow_query_domain_views topics in the NIOS 8.5 online documentation.
Defining the NTP Orphan Mode (RFE-11096)
Grid members including the Grid Master can now function as NTP servers to clients if NTP is enabled on the Grid. You can even configure a stratum value that enables Grid members to continue serving NTP uninterruptedly using the disconnected NTP service in the absence of external NTP servers. This mode is called the orphan mode. When the external NTP servers are reachable again, the Grid connects to the server to serve NTP and derive the NTP stratum values and automatically switches to the connected mode.
For more information about the orphan mode, see the Configuring the Orphan Mode and the Using NTP for Time Settings topics in the NIOS 8.5 online documentation.
vNIOS for Red Hat OpenShift (RFE-10707)
vNIOS is now supported on the Red Hat OpenShift platform. For more information, see the Infoblox Installation Guide vNIOS for Red Hat OpenShift at https://docs.infoblox.com
Deploying Multiple NIOS Instances on Microsoft Azure (RFE-8690)
You can now upload and deploy multiple NIOS instances on Microsoft Azure using a single resource group. For more information see the Infoblox Installation Guide vNIOS for Microsoft Azure at https://docs.infoblox.com
Microsoft Server 2019 Support (RFE-10227)
NIOS 8.5.3 is supported on Microsoft Windows Server 2019.
DNS Over HTTPS (RFE-9826)
You can now avoid DNS query spoofing and eavesdropping by using the newly introduced DNS over HTTPS service. When you enable the DNS over HTTPS feature, DNS traffic is encrypted through the HTTPS protocol to prevent eavesdropping and tampering of DNS data. You can enable this feature by selecting the Enable DoH Service checkbox. This checkbox is present in the Member DNS Properties editor, Toggle Advanced Mode > Queries tab.
You can also view the status, configuration, and details of the DNS over HTTPS service by using the following new commands:
show doh-status: Displays the status of the DNS over HTTPS service.
show doh-config: Displays the DNS over HTTPS configuration and includes DNS over HTTPS servers that are listening on port 443.
show doh-stats: Displays statistics such as active HTTPS sessions and number of queries or responses received or sent over HTTPS.
For detailed information about the appliances that support DNS over HTTPS, limitations, and configuration, see Configuring DNS over TLS and DNS over HTTPS Services. For information about the commands, see the show doh-status, show doh-config, and show doh-stats topics.
DNS Over TLS (RFE-6979)
NIOS appliances that support vDCA or vADP now include the DNS over TLS capability that helps increase DNS security and privacy. When you enable the DNS over TLS feature, DNS traffic is encrypted through the TLS protocol to prevent eavesdropping and tampering of DNS data. You can enable this feature by selecting the select the Enable DoT Service checkbox . This checkbox is present in the Member DNS Properties editor, Toggle Advanced Mode > Queries tab.
You can also view the status, configuration, and details of the DNS over TLS service by using the following new commands:
show dns-over-tls-status: Displays the status of the DNS over TLS service.
show dns-over-tls-config: Displays the DNS over TLS configuration and includes DNS over TLS servers that are listening on port 853.
show dns-over-tls-stats: Displays statistics such as active TLS sessions and number of queries or responses received or sent over TLS.
For detailed information about the appliances that support DNS over TLS, limitations, and configuration, see Configuring DNS over TLS and DNS over HTTPS Services. For information about the commands, see the show dns-over-tls-status, show dns-over-tls-config, and show dns-over-tls-stats topics.
Proxying RPZ Passthru Rules (RFE-9982)
You can now proxy RPZ passthru rules for parental control through a configured the MSP (Multi-Services Proxy) server by selecting the newly introduced Proxy RPZ Passthru checkbox. If you select this checkbox, and a passthru rule from any RPZ zone is hit, then the query resolves to an MSP proxy virtual IP address and NIOS generates a "synthetic resolution”. If you do not select this checkbox, the query resolves normally.
For more information, see Scaling Using Subscriber Sites.
Changing the Default Password During the First Login for Standalone AWS Members (RFE-10280)
For an AWS standalone member, NIOS now displays the New Password and Retype Password fields when you log in for the first time. You must change the default password. For more information, see Logging on to the NIOS UI.
Key Pair Authentication for CLI Access (RFE-7968)
To prevent CLI login failures after upgrading, you will need to enable Use AWS SSH authentication keys for each user that needs CLI access to AWS appliances. When you select the Use AWS SSH authentication keys option, you can either select the Key pair option to gain access to the CLI without entering a password or the Key pair + password option to gain access after entering a password and uploading the SSH public key. You can upload the public key using the Manage SSH Public Keys field. For more information, see Creating Local Admins.
vNIOS Support for Oracle Cloud Infrastructure (RFE-10643)
You can now deploy the NIOS virtual appliance on Oracle Cloud Infrastructure. You can deploy an Infoblox vNIOS for Oracle Cloud Infrastructure instance as a virtual cloud member tied to an on-premise (non-cloud) NIOS Grid. The NIOS virtual appliance for Oracle Cloud Infrastructure functions as a hardware virtual machine guest on the Linux system. For more information about vNIOS for Oracle Cloud Infrastructure, see the Infoblox vNIOS for Oracle Cloud Infrastructure Installation Guide at docs.infoblox.com.
vNIOS for AWS Support for IB-V4025 (RFE-10374)
You can now deploy vNIOS for AWS instances with IPv4 and IPv6 addresses. However, Infoblox provides support for IPv6 network connectivity only on the IB-V4025 appliance.
Service-Level Black and White Lists (RFE-9981)
The allowed and blocked listing feature allows you to specify well-known names (for example, “linkedin” or “netflix”) for well-known domain names. For information about the rules that are applied if a dotless name is specified in the allowed list or blocked list, see Scaling Using Subscriber Sites.
Enabling Parental Control Subscriber Policies Through DNS Cache Acceleration (RFE-9980)
This release of NIOS introduces parental control at DNS Cache Acceleration using cached domain and subscriber data. To this effect, the following new checkboxes on the Parental Control > Advanced tab have been introduced:
- Enable DCA subscriber Query count logging: Select this checkbox to use DNS Cache Acceleration to generate subscriber logs and to record query counts greater than or equal to zero.
- Enable DCA subscriber Allowed & Blocked list support: Select this checkbox to use DNS Cache Acceleration to provide the blocked and allowed list of subscribers.
The following new CLI commands have been introduced:
show subscriber_secure_data bypass: Allows you to view the status of the subscriber data bypass for a member.
set subscriber_secure_data bypass: Bypasses subscriber service policies at the local cache and DNS Cache Acceleration (when available).
show subscriber_secure_data garbage_collect: Displays the status of garbage collection for the specific member.
set subscriber_secure_data garbage_collect: Designates the specific member for the garbage collection service.
A new report called Query Count Details by Subscriber ID is generated at every DNS Cache Acceleration subscriber cache update. It is based on the query counter per subscriber ID.
For more information about these checkboxes, see the Scaling Using Subscriber Sites. For more information about the CLI commands, see the show subscriber_secure_data bypass, set subscriber_secure_data bypass, show subscriber_secure_data garbage_collect and set subscriber_secure_data garbage_collect topics.
Extensible Attribute Support for VLAN and DNS Objects (RFE-10056)
This release of NIOS introduces the following extensible attribute inheritance chain:
Network View > Network Container > Network > Range > (including response policy) > Host/Fixed Address/Reservation. A parent object can have descendants at one or more levels. For example, a network view, network container, network, DHCP range, DNS view, DNS zone, VLAN view, VLAN range can be a parent object and have descendants at one or more levels, while a host, fixed address, and reservation can only be a descendant, not a parent. For more information, see Managing Extensible Attributes.
Enabling and Disabling the FIPS Mode
You can now enable or disable the FIPS mode in NIOS. You can enable or disable the FIPS mode on a Grid Master, a standalone system, or on the active Grid Master node in a HA setup. In an HA setup, you can set the FIPS mode only on the standalone Grid Master node and then form an HA pair. You cannot change the setting on the HA Grid Master or HA Grid member. For more information see Enabling/Disabling the FIPS Mode.
New CLI Commands to Set DNS and Anycast Start and Restart (RFE-10176)
This release of NIOS introduces the following commands:
set restart_anycast_with_dns_restart: Sets DNS and anycast start and restart sequences. This command brings down the anycast service during the DNS restart or stops and redirects the traffic on the IP address of anycast to another site. You can use this command only on Grid Master.
show restart_anycast_with_dns_restart: Displays the status of the
Enabling DDNS Updates from IPv6-Only DHCP Members (RFE-5118)
You can now enable DDNS updates from IPv6-Only DHCP members.
Caching Threat Category Information from the Cloud Services Portal (RFE-9249)
You can configure the Cloud Services Portal and schedule the entire threat indicator database download from the Cloud Services Portal. The threat category information is then sent to the reporting server to augment RPZ hits and reports are generated. Caching threat category information from the Cloud Services Portal helps enhance the performance of threat reports as data is fetched from the cache that is stored locally.
You can also download incremental updates from the threat indicators of the Cloud Services Portal. The incremental threat indicator is downloaded only after the whole threat indicator is downloaded from the Cloud Services Portal.
You can configure threat indicator caching by using the Threat Indicator Caching > Basic tab in the Grid Reporting Properties editor. For more information, see Grid Reporting Properties.
New Supported Cisco ISE Version
NIOS now supports the integration of Cisco ISE versions 2.6 and 2.7. For information about integrating NIOS with Cisco ISE, see Cisco ISE Integration.
Additional Validation on Host Names (RFE-7507)
You can now enable or disable additional validation on host names when creating zones, subzones, and records of type A, AAAA, host record, ALIAS, CAA, MX, and NS. The following new CLI commands have been introduced to enable or disable the additional validation:
set extra_dns_name_validations:Enables or disables additional DNS name validation
show extra_dns_name_validations:Displays the status of the additional DNS name validation
High Performance Query Logging (RFE-7747)
You can now use the dnstap log format to achieve performance query logging. NIOS logs all valid DNS queries and responses that are not dropped by Advanced DNS Protection. You can configure high performance query logging by using the Logging tab in the Grid DNS Properties or Member DNS Properties editor.
The following new commands have been introduced to configure the use of dnstap:
set enable_dnstap:Enables or disables using dnstap to log DNS queries and responses
show dnstap-status:Displays the status of the dnstap configuration
show dnstap-stats:Displays the statistics of the dnstap configuration
For information about configuring high performance query logging, see the Capturing DNS Queries and Responses. For information about the new commands, see the set enable dnstap, show dnstap-status, and show dnstap-stats topics.
Support for More Intel NICs (RFE-8677)
NIOS now supports SR-IOV Virtual Function drivers for Intel®️ Ethernet Controller XL710 and Intel Ethernet Network Adapter XXV710 NICs. These NICs are supported on KVM platforms.
Configuring the edns-udp-size and max-udp-size Attributes (RFE-4795)
You can now configure the edns-udp-size and max-udp-size attributes by entering byte values in the EDNS0 Buffer Size and UDP Buffer Size fields in the Grid DNS Properties/Member DNS Properties/DNS View > General > Advanced tab. The minimum and maximum values of both these attributes are 512 and 4096 respectively. By default, the buffer size is set to 1220 bytes. For information about configuring these attributes, see the Using Extension Mechanisms for DNS (EDNS0).
Configuring Root Name Server Inheritance (RFE-10347)
You now have the option to configure whether customized root name servers must apply only to the default DNS view or to all DNS views. You can do this using the Applies to default DNS view only and the Applies to all DNS views on this member options in Member DNS Properties > Root Name Servers > Basic tab. For more information, see About Root Name Servers.
Capturing CSV Errors After NetMRI Synchronization (RFE-9097)
After an IPAM synchronization in NetMRI, CSV import errors if any are now logged in a separate file named discovery_csv_error.log.xxxxxx located at /infoblox/var/discovery_csv_error.
Collecting NIOS Database Performance Data (RFE-9550)
You can now download Ptop log files that comprise database metrics which you can use to determine the health of the NIOS database and baseline its performance. Based on the database performance, you can ascertain the impact of changes such as adding a Grid member or enabling features such as Grid replication for DNS zones or multi-master DNS, on the database performance. You can download the Ptop log files by using a WAPI call. For more information, see the Collecting Database Performance Data .
Adding TLSA Records in Unsigned Zones (RFE-10324)
You can now add TLSA records in both DNSSEC signed zones or unsigned zones. For more information, see TLSA Records.
Infoblox Customer Experience Improvement Program
The Infoblox Customer Experience Improvement Program is an alert feature that sends encrypted network infrastructure and product usage data to Infoblox on a periodic basis. Infoblox uses this data to improve product functionality and to provide better customer service.
The Infoblox Customer Experience Improvement Program screen is displayed only when you login for the first time. You can choose whether or not you want to participate in the program. For more information on configuring the Infoblox Customer Experience Improvement Program see, Configuring the Customer Experience Improvement Program.
vDCA Support on 22x5 and 40x5 Appliances (RFE-9242)
vDCA is now supported on the IB-2215, IB-2225, IB-V2215, IB-V2225, IB-4015, IB-4025, IB-V4015, and IB-V4025 appliances. For more information, see Configuring DNS Cache Acceleration.
CSV Import for Subscriber Records (RFE-8672)
You can now import subscriber site data by using the CSV Import option and export subscriber site data by using the CSV Export option. However, you cannot perform merge, custom, and replace operations for subscriber records. For information about supported object types for subscriber records and their corresponding fields for CSV import and export, see Subscriber Record.
You can also add, update, and delete subscriber records using NIOS APIs. For more information, see the NIOS WAPI documentation.
Scalable Installer Image on IB-FLEX (RFE-7533)
The NIOS 8.5 installer image files are available in the following two variants:
- Default image files of size 250 GB
- Resizable files of size 68 GB. You can resize these images depending on your requirements and deployment. You can resize up to a maximum of 2.5 terabytes.
vNIOS Support on Nutanix AHV (RFE-7970)
vNIOS is now supported on the Nutanix AHV platform. For more information, see the About Infoblox vNIOS for Nutanix AHV documentation.
Infoblox IPAM Driver for Terraform (RFE-7614)
NIOS is now supported on Infoblox IPAM Driver for Terraform version 1.0. For installation details, see the docs.infoblox.com documentation.
Splunk Upgrade (RFE-9484)
NIOS 8.5 now works with the upgraded Splunk version 7.2.6.
DHCP Support for Subscriber Policy (RFE-8538)
You can now use extensible attributes to populate the subscriber cache with subscriber policies. Fixed addresses, reserved addresses and networks can use extensible attributes to add a subscriber policy during creation and remove the subscriber policy when they are removed. Supported extensible attributes are Subscriber-Secure-Policy, Parental-Control-Policy, PC-Category-Policy, User-Name, Proxy-All, Black-List and White-List. The DHCP member serving subscriber services must belong to a single subscriber secure site. This feature is not supported when the Allow NATed Subscribers only option is enabled in the subscriber site.
New Dashboard Reports
This release of NIOS introduces the following new reports:
- DNS QPS Usage Report: Displays the five-day rolling average of the total peak DNS queries per second calculated for all Grid members.
- IP Address Usage Report: Displays the five-day rolling average of peak values of the total count of IP addresses aggregated across all networks in the Grid.
- DHCP LPS Usage Report: Displays the five-day rolling average of the total peak DHCP leases per second calculated for all Grid members.
Configuring LAN1/LAN2 for Automated Failover (RFE-9114)
LAN1 and LAN2 interfaces both support DNS recursion in such a way that if the default route interface goes down, the route redundancy feature removes the failed interface so that there is automatic failover of recursion traffic. This provides for a seamless flow of recursive traffic movement.
You can configure automated failover by selecting the Enable default route redundancy on LAN1/LAN2 checkbox on the Network tab of the Grid Member Properties editor. For more information, see Using the LAN2 Port.
New Match Rule Filters for Outbound ObjectChange Events
This release of NIOS introduces two new rule filters in the Match the following rule section when you add notification rules. The new filters are Username and Usergroup. These filters are applicable only to ObjectChange events.
New Cisco ISE Endpoint (RFE-9236)
You can now add a Cisco ISE endpoint using the Add Cisco ISE Endpoint option. For more information, see Configuring Cisco ISE Endpoints.
HA Support for Outbound Notifications
NIOS now provides HA support and performs a failover to a standby node without loss of data when a large number of Outbound events are triggered.
Support for Bulk CSV Operations (RFE-8789)
NIOS 8.5 supports bulk CSV operations for heavy loads of DBChange objects.
Testing the Grid Master Candidate Connection Before Promotion (RFE-1737)
You can now test the connection and also schedule a test connection of the Grid Master Candidate with the other Grid members before promoting it to Grid Master. You can do this either by using the GMC Promote Test option in the Grid Manager or by using the NIOS CLI. The following new commands have been introduced to test the connection:
show test_promote_master: Enables you to view the results of the test promotion of a Grid Master Candidate to Grid Master.
set test_promote_master: Enables you to check whether the Grid Master Candidate is connected to the rest of the Grid members.
You need the new ADP ruleset version to use this feature. For information about the GMC Test option, see Managing a Grid. For information about the CLI commands, see the show test_promote_master and the set test_promote_master commands.
SSH CLI Access to Non Super Users (RFE-504)
Super users can now give SSH and CLI access to non-super users by selecting the CLI option in the Allowed Interfaces section of Admin Group Wizard. For more information, see About Admin Groups.
Faster Refresh Rates for DTC Status Updates (RFE-6258)
DTC status updates are now refreshed every 10 seconds compared to the earlier refresh rate of 2 minutes. Therefore, you can now see the latest DTC update every 10 seconds.
Selecting NOERROR/NODATA or NXDOMAIN as a Response (RFE-7113)
You can now select NOERROR/NODATA or NXDOMAIN as a Destination/Response option when configuring a topology ruleset for destination types other than pools or servers. For more information, see Configuring Topology Rules and Rulesets.
Increase in the DNS Traffic Control Scale (RFE-8771)
DNS Traffic Control now is more scalable and supports more numbers of DTC objects and health monitors.
Increase in the DNS Traffic Control Persistency (RFE-9170)
You can now enter a value up to 2 hours in the Persistence field of the DTC LBDN wizard. This has been increased from the maximum persistence value of 30 minutes in earlier releases.
DNS Forwarding Proxy as a Service (RFE-9137)
DNS Forwarding Proxy is now a NIOS service called DFP and it automatically handles DNS query forwarding. You can start and stop the DFP service just like other NIOS services. You can configure the connection between NIOS and BloxOne Threat Defense Cloud Services Portal by using the new CSP Config tab in Grid Properties Editor or Grid Member Properties Editor. For more information, see Using Forwarders.
Discovery of SDN and SD-WAN Devices
You can now discover SDN and SD-WAN devices from Cisco ACI and Cisco Meraki using Network Insight. For more information, see Configuring Discovery Properties.
Enabling or Disabling RPZ Logging (RFE-7574)
You can now enable or disable RPZ logging for an RPZ zone by using the RPZ logging checkbox on the Logging tab of the Response Policy Zone editor. For more information, see Managing RPZs.
Inheritance Permissions for Host Objects Not Enabled in DHCP and DNS (RFE-9521)
You can now apply permissions to a network and have those permissions inherited by a host object that is not enabled in DHCP and DNS.
NAT Port as IPSD (RFE-9527)
This release of NIOS supports CGNAT (Carrier Grade NAT). Multiple subscribers share the same public IP address. In specific NATing algorithms that use port block (known port range allocation), the IP address and the first usable port (which is a new AVP called Deterministic-NAT-Port ) for the subscriber are provided in a RADIUS accounting AVP. You can select this AVP from the IP Space Discriminator drop-down list. For more information, see Scaling Using Subscriber Sites.
Searching Host by IP Addresses or Networks (RFE-9231)
You can now search for hosts by IP addresses or networks using the NIOS API. For more information, see the NIOS WAPI documentation.
Viewing CPU Utilization and Top N Processes (SPTYRFE-18)
You can now monitor the CPU utilization of the top number of processes in the System Activity Monitor widget. You can either track the live CPU utilization data or you can view the CPU utilization data for up to a maximum of the past 60 minutes based on the time range you specify. You can also determine the frequency with which the Ptop tool must run and collect data. For more information, see Status Dashboard.
You can configure the number of top processes and the Ptop interval only for the Grid Master. It is mostly for use by the Infoblox Technical Support team.