Saucepan

User Tools

Site Tools

Trace: internal_tld firewall_rules dig cloud_network_automation ipv4 sizing delegation troubleshooting logging integrations
infoblox_nios:forwarding

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
infoblox_nios:forwarding [2023/06/27 15:51] – created bstaffordinfoblox_nios:forwarding [2025/07/01 18:47] (current) bstafford
Line 1: Line 1:
 ====== Forwarding ====== ====== Forwarding ======
 +
 +In general, if you tell a DNS server to forward all queries to another DNS server (e.g. local DNS server forwards to 1.1.1.1) then you should tick "User Forwarders Only". (Obviously, you will want more than just one IP. 1.1.1.1 & 1.0.0.1 is much more resilient than just 1.1.1.1). This is because by the time the recursive DNS server falls back to top-down recursion, a stub resolver (client) has already waited for quite a while. If the recursion takes some time, the stub resolver might well give up. Also, the more forwarders you have defined, the more forwarders the DNS server has to check before it can fall back to recursion. Fall back to recursion time also depends on BIND version but the more modern BIND uses RTT which effects overall time, and finally there are mechanics at play as well for EDNS0 backoff where it will try increasing Timeouts (something like 1.6s, 3.2s, 6.4s 9s until it hits the default max which is something like 30s total)
  
 How the round trip time(RTT) algorithm works. How the round trip time(RTT) algorithm works.
Line 25: Line 27:
 Forwarders that aren’t selected have their RTT values “decayed” by multiplying them by .98. This enables all the configured Forwarders to eventually get their turn. Forwarders that aren’t selected have their RTT values “decayed” by multiplying them by .98. This enables all the configured Forwarders to eventually get their turn.
  
-In short, No. Forwarders are not always used in the Order in which they are configured. It is actually based on RTT Values.+In short, No. The order in which the forwarders are listed has no bearing on the order in which they are used. 
 + 
 +===== DNSSEC ===== 
 +If DNSSEC validation is not enabled in NIOS, and if NIOS is configured to forward to another DNS server (e.g. NIOS caching/recursive layer) then NIOS sends DNS queries to the caching box with DNSSEC "CD" (Check Disabled) flag bit set to "1", and the caching server, irrespective of the local DNSSEC validation setting,  will not perform any validation locally and provides the response to the "forwarding DNS server", and the same response is sent back to the client. i.e. if you have full DNSSEC validation enabled on the external caching server but the Internal NIOS server does not have DNSSEC enabled then the external caching server will NOT perform DNSSEC validation for that query. 
 + 
 +If you enable DNSSEC and have Trust Anchors configured on the internal DNS NIOS box, then the NIOS box will do the DNSSEC validation by forwarding the DNS and DNSKEY queries to the external caching layer to get the answers to. 
 + 
 +If you enabled DNSSEC and have NO Trust Anchors configured, then the internal DNS NIOS box will add CD (Check Disabled) flag bit set to "0" and it will mean that it is telling the external caching server to do the DNSSEC validation on its behalf. 
 + 
 +[[https://support.infoblox.com/s/article/302|Infoblox KB article]]. 
 + 
 +===== DFP Forwarding ===== 
 + 
 +[[https://docs.infoblox.com/space/nios90/1468465491/Specifying+Forwarders|Documentation]] 
 + 
 +When enabling the "Add" and "Copy" options under DNS Properties > Forwarding, we see the following notices/warnings 
 +<code>The "Copy client IP, MAC addresses, and DNS View name to outgoing recursive queries" EDNS0 option will not function in the following scenarios even when you have enabled it:  
 +1. When you select the "Disable EDNS0" option. (Grid Properties > General > Advanced > "Disable EDNS0" (by default this option is disabled - thus EDNS0 is enabled by default) 
 +2. When recursion is not enabled on the member. 
 +3. The list of Grid or Member DNS forwarders is empty. When DFP is enabled on the node: DFP will re-write required statements to forwarder section of named-config.  
 + 
 +Do you still want to proceed? Do you want to continue?</code> 
 + 
 + 
 +<code>The "Add client IP, MAC addresses, and DNS View name to outgoing recursive queries" EDNS0 option will not function in the following scenarios even when you have enabled it:  
 +1. When you select the "Disable EDNS0" option.(Grid Properties > General > Advanced > "Disable EDNS0" (by default this option is disabled - thus EDNS0 is enabled by default) 
 +2. When recursion is not enabled on the member. 
 +3. The list of Grid or Member DNS forwarders is empty. When DFP is enabled on the node: DFP will re-write required statements to forwarder section of named-config.  
 + 
 +Do you still want to proceed? Do you want to continue?</code> 
 + 
 +If DFP fails and Global Forwarders are NOT configured, root hints will be used and NIOS will not add source IP data to the queries. 
 + 
 +Notes on using "Add" and "Copy" options for NIOS Forwarding with DFP. 
 +  * Source IP (Laptop) = 192.168.99.73 (Queries 192.168.11.211) 
 +  * First NIOS Member = 192.168.11.211 (Forward only to 192.168.11.212) 
 +  * Second NIOS Member = 192.168.11.212 (Forward only to 192.168.11.215) 
 +  * Third NIOS Member  = 192.168.11.215 (DFP enabled and no forwarders configured locally) 
 + 
 +In the scenario below, the key is to ensure that the first layer has "Add" enabled and that the second and third layer have "Copy" enabled. If we assume that all clients query layer 1, we are good. We include "Add" in the second and third layers to allow for clients querying these layers directly. 
 + 
 +MAC Address will only get ADDED if the client IP is in the same subnet as the NIOS/NIOS-X appliance receiving it. Once added, it can be copied.
  
 +^Source IP ^ 1 Add ^ 1 Copy ^ 2 Add ^ 2 Copy ^ 3 Add ^ 3 Copy ^ IP Recorded ^
 +| 192.168.99.73 | _ | _ | _ | _ | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | _ | _ | _ | _ | X | 192.168.11.212 |
 +| 192.168.99.73 | _ | _ | _ | _ | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | _ | _ | _ | X | X | 192.168.11.212 |
 +| 192.168.99.73 | _ | _ | _ | X | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | _ | _ | X | _ | X | 192.168.11.212 |
 +| 192.168.99.73 | _ | _ | _ | X | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | _ | _ | X | X | X | 192.168.11.212 |
 +| 192.168.99.73 | _ | _ | X | _ | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | _ | X | _ | _ | X | 192.168.11.211 |
 +| 192.168.99.73 | _ | _ | X | _ | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | _ | X | _ | X | X | 192.168.11.211 |
 +| 192.168.99.73 | _ | _ | X | X | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | _ | X | X | _ | X | 192.168.11.211 |
 +| 192.168.99.73 | _ | _ | X | X | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | _ | X | X | X | X | 192.168.11.211 |
 +| 192.168.99.73 | _ | X | _ | _ | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | X | _ | _ | _ | X | 192.168.11.212 |
 +| 192.168.99.73 | _ | X | _ | _ | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | X | _ | _ | X | X | 192.168.11.212 |
 +| 192.168.99.73 | _ | X | _ | X | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | X | _ | X | _ | X | 192.168.11.212 |
 +| 192.168.99.73 | _ | X | _ | X | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | X | _ | X | X | X | 192.168.11.212 |
 +| 192.168.99.73 | _ | X | X | _ | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | X | X | _ | _ | X | 192.168.11.211 |
 +| 192.168.99.73 | _ | X | X | _ | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | X | X | _ | X | X | 192.168.11.211 |
 +| 192.168.99.73 | _ | X | X | X | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | X | X | X | _ | X | 192.168.11.211 |
 +| 192.168.99.73 | _ | X | X | X | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | _ | X | X | X | X | X | 192.168.11.211 |
 +| 192.168.99.73 | X | _ | _ | _ | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | _ | _ | _ | _ | X | 192.168.11.212 |
 +| 192.168.99.73 | X | _ | _ | _ | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | _ | _ | _ | X | X | 192.168.11.212 |
 +| 192.168.99.73 | X | _ | _ | X | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | _ | _ | X | _ | X | 192.168.99.73 | 
 +| 192.168.99.73 | X | _ | _ | X | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | _ | _ | X | X | X | 192.168.99.73 | 
 +| 192.168.99.73 | X | _ | X | _ | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | _ | X | _ | _ | X | 192.168.11.211 |
 +| 192.168.99.73 | X | _ | X | _ | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | _ | X | _ | X | X | 192.168.11.211 |
 +| 192.168.99.73 | X | _ | X | X | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | _ | X | X | _ | X | 192.168.99.73 | 
 +| 192.168.99.73 | X | _ | X | X | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | _ | X | X | X | X | 192.168.99.73 | 
 +| 192.168.99.73 | X | X | _ | _ | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | X | _ | _ | _ | X | 192.168.11.212 |
 +| 192.168.99.73 | X | X | _ | _ | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | X | _ | _ | X | X | 192.168.11.212 |
 +| 192.168.99.73 | X | X | _ | X | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | X | _ | X | _ | X | 192.168.99.73 | 
 +| 192.168.99.73 | X | X | _ | X | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | X | _ | X | X | X | 192.168.99.73 | 
 +| 192.168.99.73 | X | X | X | _ | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | X | X | _ | _ | X | 192.168.11.211 |
 +| 192.168.99.73 | X | X | X | _ | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | X | X | _ | X | X | 192.168.11.211 |
 +| 192.168.99.73 | X | X | X | X | _ | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | X | X | X | _ | X | 192.168.99.73 | 
 +| 192.168.99.73 | X | X | X | X | X | _ | 192.168.11.212 |
 +| 192.168.99.73 | X | X | X | X | X | X | 192.168.99.73 | 
infoblox_nios/forwarding.1687881084.txt.gz · Last modified: by bstafford