Saucepan

User Tools

Site Tools

Trace: configure_redmine_email dtc install_guacamole iot docker firewall_rules duo install_ubuntu20.04 network_users deploy_nios_vm
infoblox:best_practice

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox:best_practice [2023/10/10 07:41] – [NIOS] bstaffordinfoblox:best_practice [2025/12/09 09:33] (current) – [DNS] bstafford
Line 1: Line 1:
-====== InfoBlox Best Practice ======+====== Infoblox Best Practice ====== 
 +If you are configuring a dual-stack network for the host, you must set the minimum MTU value for the IPv4 address to 1280; if you do not, the IPv6 address will not be functional.  
 +===== NIST Best Practice for DNS =====
  
 +[[https://csrc.nist.gov/pubs/sp/800/81/r3/ipd|NIST SP 800 81r3 page]] with [[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81r3.ipd.pdf|PDF]].
 +
 +===== Best Practice Configuration =====
 +The Infoblox STIG documents published by the US Defense Information Systems Agency. There is a DISA STIG for NIOS 8.x - https://www.stigviewer.com/stigs/infoblox_8x_dns
 +===== RPZ =====
 +When you use RPZ to download Threat Feeds from a provider (e.g. Infoblox, etc), make sure that at the first RPZ feed in the list is a local feed that lists your critical internal domains and RFC1918 (and other networks that you use), set the action to allow without logging. This will prevent your internal systems from being impacted by erroneous data in the providers feed.
 +===== NIOS Logging =====
 +Under Grid Properties > General > Basic > Audit Logging you can set "Brief", "Detailed", "WAPI Detailed". Setting to Brief instead of Detailed can (and has) hampered Infoblox support in establishing exact root cause of issues.
 +
 +Under Grid Properties > Monitoring > Basic make sure you tick Copy Audit Log Message to Syslog. Because it is syslog that can be copied of to SIEM server, this is how you ensure a longer copy of audit logs.
 +===== DDI =====
 +  * DNS - If the Round Trip Time (RTT) between client and DNS server is greater than 200ms, then the user starts to notice.
 +  * DHCP - normally very tolerant of latency between client and DHCP server.
 +  * NTP - normally very tolerant of latency between client and NTP server.
 +
 +===== Return Minimal Responses =====
 +The option "Return Minimal Responses" should generally be disabled for external facing DNS servers.
 +
 +It has been see that enabling "Return Minimal Responses" can cause issues when Microsoft clients query NIOS which has a forwarder to a Microsoft Active Directory domain controller.
 +
 +
 +This means it returns
 +<code>;; ANSWER SECTION:
 +_mssms_mp_swa._tcp.domain.internal.local. 14400 IN SRV 0 0 80 domaincontrollerhostname.domain.internal.local.</code>
 +
 +
 +Instead of 
 +<code>;; ANSWER SECTION:
 +_mssms_mp_swa._tcp.domain.internal.local. 14400 IN SRV 0 0 80 domaincontrollerhostname.domain.internal.local.
 +
 +;; ADDITIONAL SECTION:
 +domaincontrollerhostname.domain.internal.local. 1200 IN      A       1.2.3.4
 +domaincontrollerhostname.domain.internal.local. 1200 IN      AAAA    2002:2002:2002::2002:2002</code>
 +
 +That extra bit is needed by the Microsoft clients so "Return Minimal Responses" had to be disabled.
  
 ===== NIOS ===== ===== NIOS =====
Line 14: Line 51:
   * DNS forwarding proxy is not supported on any appliance that is running on a memory lower than 4 GB. [[https://docs.infoblox.com/space/nios85/35881759/Using+Forwarders|source]]   * DNS forwarding proxy is not supported on any appliance that is running on a memory lower than 4 GB. [[https://docs.infoblox.com/space/nios85/35881759/Using+Forwarders|source]]
   * There might be a significant performance impact on your appliance and network during the DNS forwarding proxy installation process depending on the network connectivity between NIOS and BloxOne Threat Defense. Every node will have to install the DNS forwarding proxy before serving DNS recursive queries, which includes the HA nodes. [[https://docs.infoblox.com/space/nios85/35881759/Using+Forwarders|source]]   * There might be a significant performance impact on your appliance and network during the DNS forwarding proxy installation process depending on the network connectivity between NIOS and BloxOne Threat Defense. Every node will have to install the DNS forwarding proxy before serving DNS recursive queries, which includes the HA nodes. [[https://docs.infoblox.com/space/nios85/35881759/Using+Forwarders|source]]
 +  * If DHCP scavenging is not enabled, it should be, and it definitely can reduce the lease count.  If scavenging is not enabled, leases remain in the database even after they have expired.
 +  * Enable single client lease feature of DHCP.
 +  * Enable the NIOS Object Change Tracking feature to reduce the quantity of data transferred. When you enable this feature, the appliance tracks the changes that are made to NIOS objects and periodically synchronizes changed objects.
 +  * Enable Object Change Tracking ([[https://docs.infoblox.com/space/nios90/280662600/Tracking+Object+Changes+in+the+Database|docs]]). Do this under Grid Properties.
 +      * The Object Change Tracking feature is optimized to reduce impact on the DDI services and it runs only on the Grid Master. The synchronization process synchronizes 1000 objects at a time with a 2 second pause in between. There might be a slight impact on the Grid Master Candidate as they get updates from the Grid Master. When protocol services are running on the Grid Master Candidate you might encounter a 5% drop in the protocol performance. This feature does not impact the services that are running on the Grid members.
  
 ===== BloxOne ===== ===== BloxOne =====
 +  * [[https://docs.infoblox.com/space/BloxOneThreatDefense/359596404/Best+Practices+for+Configuring+Security+Policies|RPZ Ordering]]
   * [[https://docs.infoblox.com/space/BloxOneThreatDefense/56525328/Best+Practices+for+Deploying+Hosts|Deploying BloxOne Hosts]]   * [[https://docs.infoblox.com/space/BloxOneThreatDefense/56525328/Best+Practices+for+Deploying+Hosts|Deploying BloxOne Hosts]]
   * [[https://docs.infoblox.com/space/BloxOneCloud/35366275/Best+Practices+for+Deploying+Hosts|Deploying BloxOne Hosts]]   * [[https://docs.infoblox.com/space/BloxOneCloud/35366275/Best+Practices+for+Deploying+Hosts|Deploying BloxOne Hosts]]
Line 27: Line 70:
  
  
 +===== DNS =====
 +==== Recursive Queries ====
 +In the Security tab in the Grid DNS Properties, it is recommended to turn on the following two options:
 +  * Limit recursive queries per server
 +  * Limit recursive queries per zone
 +====Other ====
 +In accordance with [[https://datatracker.ietf.org/doc/html/rfc6303|RFC 6303]] consider adding the following PTR zones as standard.
 +
 +
 +====RFC 1918 Zones====
 +  * 10.IN-ADDR.ARPA
 +  * 16.172.IN-ADDR.ARPA
 +  * 17.172.IN-ADDR.ARPA
 +  * 18.172.IN-ADDR.ARPA
 +  * 19.172.IN-ADDR.ARPA
 +  * 20.172.IN-ADDR.ARPA
 +  * 21.172.IN-ADDR.ARPA
 +  * 22.172.IN-ADDR.ARPA
 +  * 23.172.IN-ADDR.ARPA
 +  * 24.172.IN-ADDR.ARPA
 +  * 25.172.IN-ADDR.ARPA
 +  * 26.172.IN-ADDR.ARPA
 +  * 27.172.IN-ADDR.ARPA
 +  * 28.172.IN-ADDR.ARPA
 +  * 29.172.IN-ADDR.ARPA
 +  * 30.172.IN-ADDR.ARPA
 +  * 31.172.IN-ADDR.ARPA
 +  * 168.192.IN-ADDR.ARPA
 +
 +(And from [[https://kb.isc.org/docs/aa-00800|here]])
 +  * 100.51.198.IN-ADDR.ARPA
 +  * 113.0.203.IN-ADDR.ARPA
 +==== RFC 5735 and RFC 5737 Zones====
 +  * 0.IN-ADDR.ARPA
 +  * 127.IN-ADDR.ARPA
 +  * 254.169.IN-ADDR.ARPA
 +  * 2.0.192.IN-ADDR.ARPA
 +  * 100.51.198.IN-ADDR.ARPA
 +  * 113.0.203.IN-ADDR.ARPA
 +  * 255.255.255.255.IN-ADDR.ARPA
 +
 +
 +====Local IPv6 Unicast Addresses====
 +  * 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
 +  * 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
 +====IPv6 Locally Assigned Local Addresses====
 +  * D.F.IP6.ARPA
 +==== IPv6 Link-Local Addresses====
 +  * 8.E.F.IP6.ARPA
 +  * 9.E.F.IP6.ARPA
 +  * A.E.F.IP6.ARPA
 +  * B.E.F.IP6.ARPA
infoblox/best_practice.1696923688.txt.gz · Last modified: by bstafford