ADP Deployment Guide

ADP Tuning

Bear in mind that “Advanced DNS Protection” as a licence also protects the protcols for:

• DNS
• DHCP
• NTP
• ICMP
• BGP
• OSPF

Also remember that ADP can be used for internal facing DNS. Rare but some massive organisations do use it like that.

show adp monitor-mode

set adp-monitor-mode off

When running ADP on the Grid, to download the latest updates, the Grid Master needs to resolve and access https://ts.infoblox.com on tcp-443. You may need to configure the proxy settings in the Grid and you may need to disable TLS inspection on the proxy.

• SW_TP = Threat Protection
• TP_SUB = Threat Protection Update

You cannot install TP_SUB without already having SW_TP installed.

Remember, installing ADP licence (“Threat Protection (Software add-on) license”) will reboot the member.

Remember, enabling the ADP service (“Threat Protection”) on a member will cause the member to reboot.

Remember, you cannot enable ADP on a GM or GMC

Remember, the DNS member running ADP must be using the MGMT interface.

Remember, after enabling DoH and/or DoT, you must manually reboot the member.

Remember, the option to enable DoT and enable DoH is only visible if the member has enough memory allocated (Data Management > DNS > Members > Properties > Queries > Advanced)

Remember, to install the ADP licence and the ADP update licence, the NIOS appliance must have the enough CPU/RAM

Use a CHAOS query to ask for the running version of Bind. That will trigger a reconnaissance rule

dig @adp.infobloxtest.local CH TXT version.bind

CEF:0|Infoblox|NIOS Threat|8.6.2-49947-c076333333a0|110100200|EARLY DROP UDP DNS named version attempts|8|src=**** spt=63141 dst=**** dpt=53 act="DROP" cat="Reconnaissance" nat=0 nfpt=0 nlpt=0 fqdn=version.bind hit_count=1

To test DoH on Linux Client, this page is a useful guide. I had to use a proper certificate (Lets Encrypt) to get it to work. I put the HTTPS cert on the DoH member of the Infoblox Grid and also imported the intermediate and root certificates into the Grid.