Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

DNS Forwarding Proxy (DFP), which can be run on the on-prem host, The DNS forwarding proxy is a DNS forwarder that sends DNS queries to BloxOne Threat Defense Cloud or to a local DNS server. DFP When you enable the DNS Forwarding Proxy service on an on-prem host, the DNS forwarding proxy continually monitors connectivity to BloxOne Threat Defense Cloud. For customers of BloxOne Threat Defense who If you have purchased BloxOne Threat Defense Business Cloud or BloxOne Threat Defense Advanced, you can configure the on-prem host to run the DNS Forwarding Proxy service, so if the on-prem host cannot reach the BloxOne Threat Defense Cloud Anycast DNS server, it will can send DNS requests to a local DNS server. 


DNS Forwarding Proxy

(DFP) Health

Health Check

  1. Before a health check is performed, the The DNS Forwarding Proxy (DFP) starts up with an unhealthy status before it performs a health check. This initial unhealthy status sets sends the following status message to the Cloud Services PlatformPortal: “DNS Service is not ready”ready.If BloxOne Threat Defense Cloud DNS endpoints or Anycast are available, up to one minute might pass before the status changes to healthy.
  2. In the normal flow, if the cloud If BloxOne Threat Defense Cloud successfully responds to DNS messages from the clients, the DFP DNS forwarding proxy does not perform any additional health checkchecks.
  3. If clients do not send DNS queries, the DFP DNS forwarding proxy sends its own probe queries to the cloud , to check whether it is available. The time interval between each query is approximately 10 seconds.
  4. Resolution of the client query DNS queries might take up to 20 seconds. If the a query fails, that is, if the response is not received within 20 seconds, then DFP the DNS forwarding proxy starts sending probe queries to the failed BloxOne Threat Defense Cloud endpoint. Additional An additional 10 seconds might elapse before the unavailable endpoint is considered unhealthy.
  5. UsuallyTypically, the DFP DNS forwarding proxy is configured with several BloxOne Threat Defense Cloud endpoints. The following happens to multliple endpoints: 
    1. If the first endpoint
  6. in
    1. on the list
  7. of endpoints
    1. is unhealthy, the
  8. DFP
    1. DNS forwarding proxy sends client queries to the next endpoint.
    2. If all
  9. BloxOne Threat Defense Cloud 
    1. endpoints are unavailable, the
  10. DFP
    1. DNS forwarding proxy reports the status to
  11. CSP
    1. the Cloud Services Portal, such as the following: “DNS Service is not able to resolve domains.
  12. ATC
    1. endpoint 52.119.40.100:443 is unreachable.
  13. ” 
         Further
    1. Further behavior of the
DFP
    1. DNS forwarding proxy depends on the configuration of the DNS fallback resolver
    1. If the first endpoint in the list of endpoints is unhealthy, the DFP sends client queries to the next endpoint.
    2. If all BloxOne Threat Defense Cloud  endpoints are unavailable, the DFP reports the status to CSP, such as the following: “DNS Service is not able to resolve domains. ATC endpoint 52.119.40.100:443 is unreachable.”
      6. DFP continues sending probe queries to the 
  1. DNS forwarding proxy continues to send probe queries to the BloxOne Threat Defense Cloud endpoints. When it detects that a BloxOne Threat Defense Cloud endpoint is available, it starts sending DNS traffic to the cloud again. Up to one minute might elapse before the cloud endpoints become available and the DNS traffic is routed to the cloud.
Note
titleNote

The health check tests for the availability of BloxOne Threat Defense Cloud resolvers. It does not test availability of local resolvers intended for resolving internal domains. The following root domain is used when performing a health check on DFPDNS forwarding proxy: dig.ns.


DNS Fallback

Workflow

If the DNS Fallback DNS is configured, enabled and when the BloxOne Threat Defense Cloud becomes unhealthy, the DFP DNS forwarding proxy will fall back to the Fallback local DNS server.

  1. The DFP DNS forwarding proxy does not consider a BloxOneThreat BloxOne Threat Defense Cloud endpoint unhealthy immediately after the client query fails. In this case, the DFP DNS forwarding proxy starts sending probe DNS queries to this endpoint. Only after getting three failed probe queries in a row will DFP DNS forwarding proxy consider the endpoint unhealthy and stop sending probe queries to the clients. It might take up to 10 seconds before the DFP DNS forwarding proxy considers the endpoint unhealthy. Normally, the DFP DNS forwarding proxy is configured with several BloxOne Threat Defense Cloud endpoints, such as 52.119.40.100:443 and 103.80.5.100:443. Thus, the client query is sent to the next healthy upstream endpoint. After all BloxOne Threat Defense Cloud endpoints are considered unhealthy, the client query is sent to the fallback resolver.2. If the DFP is configured to fall back to NIOS resolution.
  2. If the Fallback DNS forwarding proxy is configured to fall back to NIOS resolution (Image 1), NIOS forwards the queries to the root servers (Image 2) for configuring root servers on NIOS. To enable recursion on NIOS, see Image 3There are other ways of configuring DNS resolution on NIOS if desired, but this is the easiest approach: If a fallback is configured on NIOS, and if the DFP DNS forwarding proxy is unhealthy due to unreachability of the BloxOne Threat Defense Cloud, then NIOS will resolve queries recursively.
Note
titleNote
In NIOS, when "Fallback to the default resolution process if BloxOne Threat Defense cloud does not respond" is selected, the BIND/NAMED configuration will have a "forward first" statement which means that it will fall back to root hints if BloxOne Cloud is not reachable or not responding. When you deselect this option in NIOS, the BIND statement will have "forward only," which means that it will always send queries to BloxOne cloud.


Anchor
IMG11
IMG11
Image 1DFP DNS forwarding proxy fallback to default resolution


Anchor
IMG2
IMG2
Image 2: NIOS root name servers configuration


Anchor
IMG3
IMG3
Image 3: Enabling recursion on NIOS


While there are other ways of configuring DNS resolution on NIOS, this is the easiest approach. If a fallback is configured on NIOS, and DFP DNS forwarding proxy is unhealthy due to being unreachable, NIOS will resolve queries recursively.

Maximum Number of Concurrent DNS Queries

DFP DNS forwarding proxy can process up to 10,000 concurrent DNS queries. If this limit is exceeded, the client will receive a DNS response with the response code SERVFAIL.

Maximum Number of TCP Connections

DFP DNS forwarding proxy can serve multiple DNS queries through a single TCP connection sequentially: that is, by handling one DNS query at a time. However, if a client sends multiple queries simultaneously, the DFP DNS forwarding proxy can establish more than one connection. The maximum number of TCP connections is tied to the maximum allowed number of concurrent DNS queries: 10,000.