| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| infoblox_nios:adp [2024/06/16 19:59] – [Enable ADP] bstafford | infoblox_nios:adp [2026/02/16 02:58] (current) – bstafford |
|---|
| [[https://www.infoblox.com/resources/deployment-guide/advanced-dns-protection-ruleset-tuning|ADP Tuning]] | [[https://www.infoblox.com/resources/deployment-guide/advanced-dns-protection-ruleset-tuning|ADP Tuning]] |
| |
| Bear in mind that "Advanced DNS Protection" as a licence also protects the protcols for: | [[https://blogs.infoblox.com/community/infoblox-advanced-dns-protection-rules-viewing-the-tip-of-an-iceberg/|ADP Rules]] |
| | |
| | [[https://www.infoblox.com/code/wp-content/themes/Divi-child/f/adp-basic-config/story_html5.html?lms=1&lms=1|Old Training Video]] |
| | |
| | To ensure proper performance, ADP locks 2 CPU core to process network traffic. |
| | |
| | Bear in mind that "Advanced DNS Protection" as a license also protects the protocols for: |
| * DNS | * DNS |
| * DHCP | * DHCP |
| You cannot install ADP on a NIOS appliance that has the MS Management license installed. | You cannot install ADP on a NIOS appliance that has the MS Management license installed. |
| |
| | ===== Enable Accelerated Networking ===== |
| | Accelerated Networking (sometimes called 'fast-path') is not enabled on the MGMT interfaces of appliances deployed with NIOS 9.0.5 or later. Older appliances upgraded to NIOS 9.0.5 keep it enabled. |
| | |
| | It can be enabled/disabled on MGMT interface manually from 9.0.5 onward. |
| | <code>set mgmt_exclusion_from_fastpath <on|off></code> |
| | Ideally, don't enable on MGMT. Disabling on MGMT means that SSH can happen to MGMT without going through accelerated networking. |
| | |
| | Remember, DoH cannot run on MGMT. DoT can run on MGMT if, and only if, accelerated networking is enabled on MGMT. |
| ===== Enable ADP ===== | ===== Enable ADP ===== |
| Remember, the option to install the ADP licence is not available until the appliance has the correct resources (RAM/CPU) allocated. See the table below for the RAM/CPU that needs to be allocated per model of NIOS appliance. | Remember, the option to install the ADP licence is not available until the appliance has the correct resources (RAM/CPU) allocated. See the table below for the RAM/CPU that needs to be allocated per model of NIOS appliance. |
| <code>CEF:0|Infoblox|NIOS Threat|8.6.2-49947-c076333333a0|110100200|EARLY DROP UDP DNS named version attempts|8|src=**** spt=63141 dst=**** dpt=53 act="DROP" cat="Reconnaissance" nat=0 nfpt=0 nlpt=0 fqdn=version.bind hit_count=1</code> | <code>CEF:0|Infoblox|NIOS Threat|8.6.2-49947-c076333333a0|110100200|EARLY DROP UDP DNS named version attempts|8|src=**** spt=63141 dst=**** dpt=53 act="DROP" cat="Reconnaissance" nat=0 nfpt=0 nlpt=0 fqdn=version.bind hit_count=1</code> |
| |
| | Another example log where we block a specific domain from being resolved. |
| | * Facility: daemon |
| | * Level: ERROR |
| | * Server: threat-protect-log |
| | * Message: CEF:0|Infoblox|NIOS Threat|9.0.6-53318-82020f7ffaad|120303001|Blacklist:blockedinconfig.domain.com|7|src=25.26.27.28 spt=52223 dst=192.168.1.123 dpt=53 act="DROP" cat="BLACKLIST UDP FQDN lookup" nat=0 nfpt=0 nlpt=0 fqdn=blockedinconfig.domain.com hit_count=3</code> |
| ===== DoH ===== | ===== DoH ===== |
| To test DoH on Linux Client, [[https://www.linuxbabe.com/ubuntu/dns-over-https-doh-resolver-ubuntu-dnsdist|this page is a useful guide]]. I had to use a proper certificate (Lets Encrypt) to get it to work. I put the HTTPS cert on the DoH member of the Infoblox Grid and also imported the intermediate and root certificates into the Grid. | To test DoH on Linux Client, [[https://www.linuxbabe.com/ubuntu/dns-over-https-doh-resolver-ubuntu-dnsdist|this page is a useful guide]]. I had to use a proper certificate (Lets Encrypt) to get it to work. I put the HTTPS cert on the DoH member of the Infoblox Grid and also imported the intermediate and root certificates into the Grid. |
