Saucepan

User Tools

Site Tools

Trace: rate_limiting extend_server_licence about doh_dot
infoblox_nios:adp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox_nios:adp [2023/04/26 19:04] bstaffordinfoblox_nios:adp [2026/02/16 02:58] (current) bstafford
Line 1: Line 1:
 ======  NIOS ADP ====== ======  NIOS ADP ======
-Bear in mind that "Advanced DNS Protection" as a licence also protects the protcols for:+[[https://www.infoblox.com/resources/deployment-guide/advanced-dns-protection-deployment-guide|ADP Deployment Guide]] 
 + 
 +[[https://www.infoblox.com/resources/deployment-guide/advanced-dns-protection-ruleset-tuning|ADP Tuning]] 
 + 
 +[[https://blogs.infoblox.com/community/infoblox-advanced-dns-protection-rules-viewing-the-tip-of-an-iceberg/|ADP Rules]] 
 + 
 +[[https://www.infoblox.com/code/wp-content/themes/Divi-child/f/adp-basic-config/story_html5.html?lms=1&lms=1|Old Training Video]] 
 + 
 +To ensure proper performance, ADP locks 2 CPU core to process network traffic. 
 + 
 +Bear in mind that "Advanced DNS Protection" as a license also protects the protocols for:
   * DNS   * DNS
   * DHCP   * DHCP
Line 15: Line 25:
  
 When running ADP on the Grid, to download the latest updates, the Grid Master needs to resolve and access ''https://ts.infoblox.com'' on tcp-443. You may need to configure the proxy settings in the Grid and you may need to disable TLS inspection on the proxy. When running ADP on the Grid, to download the latest updates, the Grid Master needs to resolve and access ''https://ts.infoblox.com'' on tcp-443. You may need to configure the proxy settings in the Grid and you may need to disable TLS inspection on the proxy.
 +===== Licence=====
 +  * SW_TP = Threat Protection
 +  * TP_SUB = Threat Protection Update
  
 +You cannot install TP_SUB without already having SW_TP installed.
 +
 +You cannot install ADP on a NIOS appliance that has the MS Management license installed.
 +
 +===== Enable Accelerated Networking =====
 +Accelerated Networking (sometimes called 'fast-path') is not enabled on the MGMT interfaces of appliances deployed with NIOS 9.0.5 or later. Older appliances upgraded to NIOS 9.0.5 keep it enabled.
 +
 +It can be enabled/disabled on MGMT interface manually from 9.0.5 onward.
 +<code>set mgmt_exclusion_from_fastpath <on|off></code>
 +Ideally, don't enable on MGMT. Disabling on MGMT means that SSH can happen to MGMT without going through accelerated networking.
 +
 +Remember, DoH cannot run on MGMT. DoT can run on MGMT if, and only if, accelerated networking is enabled on MGMT.
 +===== Enable ADP =====
 +Remember, the option to install the ADP licence is not available until the appliance has the correct resources (RAM/CPU) allocated. See the table below for the RAM/CPU that needs to be allocated per model of NIOS appliance.
 +
 +Remember, installing ADP licence ("Threat Protection (Software add-on) license") will reboot the member. 
 +
 +Remember, enabling the ADP service ("Threat Protection") on a member will cause the member to reboot.
 +
 +Remember, you cannot enable ADP on a GM or GMC
 +
 +Remember, the DNS member running ADP must be using the MGMT interface.
 +
 +Remember, after enabling DoH and/or DoT, you must manually reboot the member.
 +
 +Remember, the option to enable DoT and enable DoH is only visible if the member has enough memory allocated (Data Management > DNS > Members > Properties > Queries > Advanced)
 +
 +Remember, to install the ADP licence and the ADP update licence, the NIOS appliance must have the enough CPU/RAM
 +
 +^ NIOS Appliance ^ vCPU ^ Memory ^
 +| TE-v1415 | 4 | 32GB|
 +| TE-v1425 | 4 | 32GB|
 +| TE-v2215 | 16 | 64GB|
 +| TE-v2225 | 16 | 64GB|
 +| TE-v4015 | 28 | 128GB|
 +| TE-v4025 | 28 | 128GB|
 +| TE-v926 | 8 | 32GB|
 +| TE-v1516 | 12 | 64GB|
 +| TE-v1526 | 16 | 64GB|
 +| TE-v2326 | 20 | 192GB|
 +| TE-v4126 | 32 | 284GB|
 ===== Test ADP ===== ===== Test ADP =====
 Use a CHAOS query to ask for the running version of Bind. That will trigger a reconnaissance rule Use a CHAOS query to ask for the running version of Bind. That will trigger a reconnaissance rule
 <code>dig @adp.infobloxtest.local CH TXT version.bind</code> <code>dig @adp.infobloxtest.local CH TXT version.bind</code>
 <code>CEF:0|Infoblox|NIOS Threat|8.6.2-49947-c076333333a0|110100200|EARLY DROP UDP DNS named version attempts|8|src=**** spt=63141 dst=**** dpt=53 act="DROP" cat="Reconnaissance" nat=0 nfpt=0 nlpt=0 fqdn=version.bind hit_count=1</code> <code>CEF:0|Infoblox|NIOS Threat|8.6.2-49947-c076333333a0|110100200|EARLY DROP UDP DNS named version attempts|8|src=**** spt=63141 dst=**** dpt=53 act="DROP" cat="Reconnaissance" nat=0 nfpt=0 nlpt=0 fqdn=version.bind hit_count=1</code>
 +
 +Another example log where we block a specific domain from being resolved.
 +  * Facility: daemon
 +  * Level: ERROR
 +  * Server: threat-protect-log
 +  * Message: CEF:0|Infoblox|NIOS Threat|9.0.6-53318-82020f7ffaad|120303001|Blacklist:blockedinconfig.domain.com|7|src=25.26.27.28 spt=52223 dst=192.168.1.123 dpt=53 act="DROP" cat="BLACKLIST UDP FQDN lookup" nat=0 nfpt=0 nlpt=0 fqdn=blockedinconfig.domain.com hit_count=3</code>
 +===== DoH =====
 +To test DoH on Linux Client, [[https://www.linuxbabe.com/ubuntu/dns-over-https-doh-resolver-ubuntu-dnsdist|this page is a useful guide]]. I had to use a proper certificate (Lets Encrypt) to get it to work. I put the HTTPS cert on the DoH member of the Infoblox Grid and also imported the intermediate and root certificates into the Grid.
infoblox_nios/adp.1682535861.txt.gz · Last modified: by bstafford