Saucepan

User Tools

Site Tools

Trace: discovery_network_insight certificates delegation dtc new_setup dns_integrety_check abbreviations snmp vmotion adp
infoblox_nios:adp

This is an old revision of the document!

Table of Contents

NIOS ADP

ADP Deployment Guide

ADP Tuning

Bear in mind that “Advanced DNS Protection” as a licence also protects the protcols for:

  • DNS
  • DHCP
  • NTP
  • ICMP
  • BGP
  • OSPF

Also remember that ADP can be used for internal facing DNS. Rare but some massive organisations do use it like that. 

show adp monitor-mode
set adp-monitor-mode off

When running ADP on the Grid, to download the latest updates, the Grid Master needs to resolve and access https://ts.infoblox.com on tcp-443. You may need to configure the proxy settings in the Grid and you may need to disable TLS inspection on the proxy.

Licence

  • SW_TP = Threat Protection
  • TP_SUB = Threat Protection Update

You cannot install TP_SUB without already having SW_TP installed.

You cannot install ADP on a NIOS appliance that has the MS Management license installed.

Enable ADP

Remember, the option to install the ADP licence is not available until the appliance has the correct resources (RAM/CPU) allocated. See the table below for the RAM/CPU that needs to be allocated per model of NIOS appliance.

Remember, installing ADP licence (“Threat Protection (Software add-on) license”) will reboot the member.

Remember, enabling the ADP service (“Threat Protection”) on a member will cause the member to reboot.

Remember, you cannot enable ADP on a GM or GMC

Remember, the DNS member running ADP must be using the MGMT interface.

Remember, after enabling DoH and/or DoT, you must manually reboot the member.

Remember, the option to enable DoT and enable DoH is only visible if the member has enough memory allocated (Data Management > DNS > Members > Properties > Queries > Advanced)

Remember, to install the ADP licence and the ADP update licence, the NIOS appliance must have the enough CPU/RAM

NIOS Appliance vCPU Memory
TE-v1415 4 32GB
TE-v1425 4 32GB
TE-v2215 16 64GB
TE-v2225 16 64GB
TE-v4015 28 128GB
TE-v4025 28 128GB
TE-v926 8 32GB
TE-v1516 12 64GB
TE-v1526 16 64GB
TE-v2326 20 192GB
TE-v4126 32 284GB

Test ADP

Use a CHAOS query to ask for the running version of Bind. That will trigger a reconnaissance rule 

dig @adp.infobloxtest.local CH TXT version.bind
CEF:0|Infoblox|NIOS Threat|8.6.2-49947-c076333333a0|110100200|EARLY DROP UDP DNS named version attempts|8|src=**** spt=63141 dst=**** dpt=53 act="DROP" cat="Reconnaissance" nat=0 nfpt=0 nlpt=0 fqdn=version.bind hit_count=1

DoH

To test DoH on Linux Client, this page is a useful guide. I had to use a proper certificate (Lets Encrypt) to get it to work. I put the HTTPS cert on the DoH member of the Infoblox Grid and also imported the intermediate and root certificates into the Grid.

infoblox_nios/adp.1718567951.txt.gz · Last modified: by bstafford