Saucepan

User Tools

Site Tools

Trace: geolocation
infoblox_threat_defense:geolocation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
infoblox_threat_defense:geolocation [2024/12/27 15:10] – created bstaffordinfoblox_threat_defense:geolocation [2026/02/25 09:47] (current) bstafford
Line 1: Line 1:
-====== BloxOne Geolocation ======+====== Infoblox Threat Defense Geolocation ======
  
-Geolocation+=====Geolocation =====
 Service providers such as Google, Infoblox, etc, will only forward ECS data to an authoratative DNS server if that domain being queried is in the list of ECS zones. Service providers such as Google, Infoblox, etc, will only forward ECS data to an authoratative DNS server if that domain being queried is in the list of ECS zones.
  
-  * For Infoblox, this list is mostly services Google, YouTube, SalesForce, Netskope, etc. MIcroosft doesn't support ECS.+  * For Infoblox, this list is mostly services Google, YouTube, SalesForce, Netskope, etc.  
 +  * Microsoft doesn't support ECS.
   * Infoblox forwards the /24 when forwarding ECS data.   * Infoblox forwards the /24 when forwarding ECS data.
-  * When using an BloxOne Endpoint, the public IP is the one that BloxOne Cloud sees as the source IP. i.e. the public IP that the BloxOne Endpoint is source NAT'd behind.+  * When using an Infoblox Endpoint, the public IP is the one that Infoblox Cloud sees as the source IP. i.e. the public IP that the Infoblox Endpoint is source NAT'd behind.
   * When using an External Network, the public IP is the External Network being used.   * When using an External Network, the public IP is the External Network being used.
-  * When using a DFP, the public IP used is the public IP that BloxOne has associated with that DFP. i.e. the public IP that the DFP is source NAT'd behind.+  * When using NIOS-XaaS with DFP, it is the public IP of the NIOS-XaaS POP being used. 
 +  * When using a DFP, the public IP used is the public IP that Infoblox has associated with that DFP (called "NAT IP Address" when looking at the Server details in the Infoblox Portal). i.e. the public IP that the DFP is source NAT'd behind. 
 + 
 +You can check what IP the service sees by testing against Google. 
 +<code>dig @<IP_OF_DFP_or_local_DNS_server> +short TXT o-o.myaddr.l.google.com</code>
  
  
 Geolocation support uses the EDNS0 ECS (ENDS client subnet) option to pass the public /24 subnet of your IP address to a third-party DNS server. This allows ECS enabled third-party DNS servers to provide appropriate answers based on the geolocation of the source user and direct users to the closest instance of the DNS record being queried. Geolocation support uses the EDNS0 ECS (ENDS client subnet) option to pass the public /24 subnet of your IP address to a third-party DNS server. This allows ECS enabled third-party DNS servers to provide appropriate answers based on the geolocation of the source user and direct users to the closest instance of the DNS record being queried.
  
-BloxOne Threat Defense provides the option of enabling or disabling geolocation on a per-policy basis, which means the geolocation configuration affects the entire network scope configured for a specific policy. Enabling geolocation for a security policy exposes the public /24 subnet of a DFP, External Network or BloxOne Endpoint to the authoritative DNS server. If you do not want to expose the public /24 subnet to external DNS name servers, do not enable geolocation when you configure a security policy. Geolocation is disabled by default, and new policies will inherit the geolocation configuration of the default policy.+Infoblox Threat Defense provides the option of enabling or disabling geolocation on a per-policy basis, which means the geolocation configuration affects the entire network scope configured for a specific policy. Enabling geolocation for a security policy exposes the public /24 subnet of a DFP, External Network or Infoblox Endpoint to the authoritative DNS server. If you do not want to expose the public /24 subnet to external DNS name servers, do not enable geolocation when you configure a security policy. Geolocation is disabled by default, and new policies will inherit the geolocation configuration of the default policy.
  
 Note: Note:
-Infoblox maintains a list of domains that support geolocation-based responses. BloxOne Threat Defense will only forward public /24 subnet ECS data to domains that are on this list. Queries for domains that are not on this list will not have ECS data forwarded regardless of whether geolocation is enabled or not. If you encounter issues while configuring geolocation, contact Infoblox Technical Support.+Infoblox maintains a list of domains that support geolocation-based responses. Infoblox Threat Defense will only forward public /24 subnet ECS data to domains that are on this list. Queries for domains that are not on this list will not have ECS data forwarded regardless of whether geolocation is enabled or not. If you encounter issues while configuring geolocation, contact Infoblox Technical Support.
  
  
Line 24: Line 29:
  
 There is a performance impact on the cache layer due to the overload of the domains in the ECS list. End users shouldn’t really care/know about that. There is a performance impact on the cache layer due to the overload of the domains in the ECS list. End users shouldn’t really care/know about that.
 +
 +===== NIOS-XaaS =====
 +When using NIOS-XaaS, if you have DNS and DFP and enable Geolocation, the target will get the source IP of the DFP POP and the EDNS0 subnet of the XaaS POP.
 +
 +This is because when you query the XaaS DNS server, it then forwards to the Threat Defense POP.
  
 ===== Testing ===== ===== Testing =====
 +  * google.com
   * 3dzip.org   * 3dzip.org
-  * www.youtube.com+  * youtube.com
   * outlook.office365.com   * outlook.office365.com
   * infoblox.lightning.force.com   * infoblox.lightning.force.com
   * outlook.office365.com   * outlook.office365.com
  
-<code>dig +short @8.8.8.8 +subnet=41.33.12.0/24 3dzip.org</code>+To show Google sees EDNS0 data, run the following: 
 + 
 +<code>dig +short @8.8.8.8 +subnet=41.33.12.0/24 TXT o-o.myaddr.l.google.com</code> 
 +Results 
 +<code>C:\Users\owner>dig +short @8.8.8.8 +subnet=41.33.12.0/24 TXT o-o.myaddr.l.google.com 
 +"54.56.57.58" 
 +"edns0-client-subnet 41.33.12.0/24"</code> 
 +The run again via Infoblox Threat Defense. If Threat Defense has Geolocation enabled, you should get your public subnet in the response. 
 +<code>dig +short @<DNS_server_IP> TXT o-o.myaddr.l.google.com</code> 
 +Results 
 +<code>C:\Users\owner>dig +short @127.0.0.1 TXT o-o.myaddr.l.google.com 
 +"edns0-client-subnet 54.56.57.0/24" 
 +"13.42.84.27"</code> 
 +In the example above,13.42.84.27 is the IP of Infoblox Threat Defense egress IP from its London POP in 2025 and 54.56.57.0/24 is an example of the public IP of the next that the test was actually run on. This shows that Infoblox Threat Defense took the public subnet and included it in the query to Google. 
 + 
 +However, if you disable geo-location but then add subnet data to your query (e.g. +subnet=10.10.10.0/24 when using the dig command), then the subnet is copied when querying domains on the GeoLocation list (albeit that the /24 is converted to a /32. e.g. 10.10.10.0/32). Difficult to determine if this is true for other domains as well. 
 + 
 +If geolocation is enabled and you use +subnet, then you value is copied and Threat Defense will not add your actual public IP.
infoblox_threat_defense/geolocation.1735312254.txt.gz · Last modified: by bstafford