To ensure proper performance, ADP locks 2 CPU core to process network traffic.
Bear in mind that “Advanced DNS Protection” as a license also protects the protocols for:
Also remember that ADP can be used for internal facing DNS. Rare but some massive organisations do use it like that.
show adp monitor-mode
set adp-monitor-mode off
When running ADP on the Grid, to download the latest updates, the Grid Master needs to resolve and access https://ts.infoblox.com on tcp-443. You may need to configure the proxy settings in the Grid and you may need to disable TLS inspection on the proxy.
You cannot install TP_SUB without already having SW_TP installed.
You cannot install ADP on a NIOS appliance that has the MS Management license installed.
Accelerated Networking (sometimes called 'fast-path') is not enabled on the MGMT interfaces of appliances deployed with NIOS 9.0.5 or later. Older appliances upgraded to NIOS 9.0.5 keep it enabled.
It can be enabled/disabled on MGMT interface manually from 9.0.5 onward.
set mgmt_exclusion_from_fastpath <on|off>
Ideally, don't enable on MGMT. Disabling on MGMT means that SSH can happen to MGMT without going through accelerated networking.
Remember, DoH cannot run on MGMT. DoT can run on MGMT if, and only if, accelerated networking is enabled on MGMT.
Remember, the option to install the ADP licence is not available until the appliance has the correct resources (RAM/CPU) allocated. See the table below for the RAM/CPU that needs to be allocated per model of NIOS appliance.
Remember, installing ADP licence (“Threat Protection (Software add-on) license”) will reboot the member.
Remember, enabling the ADP service (“Threat Protection”) on a member will cause the member to reboot.
Remember, you cannot enable ADP on a GM or GMC
Remember, the DNS member running ADP must be using the MGMT interface.
Remember, after enabling DoH and/or DoT, you must manually reboot the member.
Remember, the option to enable DoT and enable DoH is only visible if the member has enough memory allocated (Data Management > DNS > Members > Properties > Queries > Advanced)
Remember, to install the ADP licence and the ADP update licence, the NIOS appliance must have the enough CPU/RAM
| NIOS Appliance | vCPU | Memory |
|---|---|---|
| TE-v1415 | 4 | 32GB |
| TE-v1425 | 4 | 32GB |
| TE-v2215 | 16 | 64GB |
| TE-v2225 | 16 | 64GB |
| TE-v4015 | 28 | 128GB |
| TE-v4025 | 28 | 128GB |
| TE-v926 | 8 | 32GB |
| TE-v1516 | 12 | 64GB |
| TE-v1526 | 16 | 64GB |
| TE-v2326 | 20 | 192GB |
| TE-v4126 | 32 | 284GB |
Use a CHAOS query to ask for the running version of Bind. That will trigger a reconnaissance rule
dig @adp.infobloxtest.local CH TXT version.bind
CEF:0|Infoblox|NIOS Threat|8.6.2-49947-c076333333a0|110100200|EARLY DROP UDP DNS named version attempts|8|src=**** spt=63141 dst=**** dpt=53 act="DROP" cat="Reconnaissance" nat=0 nfpt=0 nlpt=0 fqdn=version.bind hit_count=1
Another example log where we block a specific domain from being resolved.
To test DoH on Linux Client, this page is a useful guide. I had to use a proper certificate (Lets Encrypt) to get it to work. I put the HTTPS cert on the DoH member of the Infoblox Grid and also imported the intermediate and root certificates into the Grid.