Saucepan

User Tools

Site Tools

Trace:
infoblox_threat_defense:geolocation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox_threat_defense:geolocation [2025/02/16 19:49] – [Testing] bstaffordinfoblox_threat_defense:geolocation [2026/02/25 09:47] (current) bstafford
Line 5: Line 5:
  
   * For Infoblox, this list is mostly services Google, YouTube, SalesForce, Netskope, etc.    * For Infoblox, this list is mostly services Google, YouTube, SalesForce, Netskope, etc. 
-  * Microosft doesn't support ECS.+  * Microsoft doesn't support ECS.
   * Infoblox forwards the /24 when forwarding ECS data.   * Infoblox forwards the /24 when forwarding ECS data.
   * When using an Infoblox Endpoint, the public IP is the one that Infoblox Cloud sees as the source IP. i.e. the public IP that the Infoblox Endpoint is source NAT'd behind.   * When using an Infoblox Endpoint, the public IP is the one that Infoblox Cloud sees as the source IP. i.e. the public IP that the Infoblox Endpoint is source NAT'd behind.
   * When using an External Network, the public IP is the External Network being used.   * When using an External Network, the public IP is the External Network being used.
   * When using NIOS-XaaS with DFP, it is the public IP of the NIOS-XaaS POP being used.   * When using NIOS-XaaS with DFP, it is the public IP of the NIOS-XaaS POP being used.
-  * When using a DFP, the public IP used is the public IP that Infoblox has associated with that DFP. i.e. the public IP that the DFP is source NAT'd behind.+  * When using a DFP, the public IP used is the public IP that Infoblox has associated with that DFP (called "NAT IP Address" when looking at the Server details in the Infoblox Portal). i.e. the public IP that the DFP is source NAT'd behind.
  
 You can check what IP the service sees by testing against Google. You can check what IP the service sees by testing against Google.
-<code>dig @<IP OF DFP or local DNS server>+short TXT o-o.myaddr.l.google.com</code>+<code>dig @<IP_OF_DFP_or_local_DNS_server> +short TXT o-o.myaddr.l.google.com</code>
  
  
Line 29: Line 29:
  
 There is a performance impact on the cache layer due to the overload of the domains in the ECS list. End users shouldn’t really care/know about that. There is a performance impact on the cache layer due to the overload of the domains in the ECS list. End users shouldn’t really care/know about that.
 +
 +===== NIOS-XaaS =====
 +When using NIOS-XaaS, if you have DNS and DFP and enable Geolocation, the target will get the source IP of the DFP POP and the EDNS0 subnet of the XaaS POP.
 +
 +This is because when you query the XaaS DNS server, it then forwards to the Threat Defense POP.
  
 ===== Testing ===== ===== Testing =====
Line 52: Line 57:
 "13.42.84.27"</code> "13.42.84.27"</code>
 In the example above,13.42.84.27 is the IP of Infoblox Threat Defense egress IP from its London POP in 2025 and 54.56.57.0/24 is an example of the public IP of the next that the test was actually run on. This shows that Infoblox Threat Defense took the public subnet and included it in the query to Google. In the example above,13.42.84.27 is the IP of Infoblox Threat Defense egress IP from its London POP in 2025 and 54.56.57.0/24 is an example of the public IP of the next that the test was actually run on. This shows that Infoblox Threat Defense took the public subnet and included it in the query to Google.
 +
 +However, if you disable geo-location but then add subnet data to your query (e.g. +subnet=10.10.10.0/24 when using the dig command), then the subnet is copied when querying domains on the GeoLocation list (albeit that the /24 is converted to a /32. e.g. 10.10.10.0/32). Difficult to determine if this is true for other domains as well.
 +
 +If geolocation is enabled and you use +subnet, then you value is copied and Threat Defense will not add your actual public IP.
infoblox_threat_defense/geolocation.1739735367.txt.gz · Last modified: by bstafford