DFP = DNS Forward Proxy

On NIOS, you don't have to put a domain into “Internal domains” for NIOS DFP to recognize a record for a forward zone. Just creating the forward zone in NIOS is enough for NIOS to forward as required without bothering the DFP. If you put block lists on the cloud security policy for zones that NIOS forwards to, the security policies won't do anything as they are not consulted by NIOS.

DFP will maintain a management channel network session to BloxOne cloud. It will also maintain a separate DNS resolution channel (DNS-over-TLS on TCP-443). The management channel may be closed when not needed. DFP will try to keep the DNS resolution channel open but this isn't guaranteed.

NOTE: If you connect NIOS to CSP and enable DFP, if you then “reset all license” and re-configure the NIOS box, it will auto-reconnect to CSP and auto-reconnect the DFP service (i.e. the join token survives the reset and license deletion)

Local On-Prem Resolution is supported for XaaS running Threat Defense. Both the security logs and the DNS logs will be visible in the Infoblox Portal. NIOS-X with “Local On-Prem Resolution” will only show Security Logs in Infoblox Portal.

Local On-Prem Resolution only works for NIOS-X and NIOS-XaaS. It does not work on NIOS nor Endpoint nor DoH nor External Networks. If you include any of these in any security policy that has “Local On-Prem Resolution”, that functionality is just ignored on those platforms.

If you have DFP enabled on NIOS, then if you log onto NIOS CLI and make a dig command directed at a specific server (e.g. 8.8.8.8), then DFP will be bypassed. This allows you to test latency to other servers without interrupting DFP.

Also see Forwarding with DFP. Also see this page for information on what happens when Add/Copy is enabled but DFP is not running.

In NIOS you can configure global forwarders and set “Add” or “Copy” source IP. This feature is for forwarding only. It will not apply when (if) NIOS reverts to recursing using root hints.

If you are forwarding from NIOS to NIOS with DFP, the original NIOS must have “Add” at least and the DFP NIOS must have “Copy” enabled.

If both Add and Copy are both ticked, Copy trumps add (i.e. if there is anything to copy, 'add' is not run as an action. If there is nothing to copy, add will run as an action).

To get the DHCP/IPAM metadata merged with DFP reports, you have to configure Data Connector with log type - “DHCP lease/IPAM Metadata” to pull the data from NIOS and merge it with DFP reports.

Remember, Threat Defense Endpoint and the DFP on the NIOS-X servers both query the Infoblox Threat Defense cloud using DoT (NOT DoH). However, they make the query over the non-standard port tcp-443. tcp-443 is normally used by DoH and tcp-853 is normally used but DoT. Not in this case. This traffic cannot be decrypted or the session will break.

+ednsopt=65523:0a0a0a0a

This is 10.10.10.10 encoded as 0a0a0a0a

BloxOne accepts custom headers:

• 65522 - Site ID
• 65523 - Source IP
• 65524 - Source MAC address
• 65525 - ? (36adae19 converts to number which converts to 917351961 which converts to 54.173.174.25)
• 65526 - DNS View

Just convert from ASCII to HEX and numbers to HEX (remove the . from IP and : from MAC)

• Source = 10.10.10.10
• DNSView = prod
• MAC = ab:cd:ef:12:34:56
• dig example.com @52.119.40.100 +ednsopt=65523:0a0a0a0a +ednsopt=65526:70726F64 +ednsopt=65524:616263646566313233343536

Example: Option 65523 with value c0a8634e (Hex) converts to 3232260942 (Decimal) which converts to 192.168.99.78.

• Decimal to Hex is here)
• IP to Decimal is here

When forwarding to internal domains, subnet data is not included by DFP unless it is already in the packet when it is sent to DFP. i.e. DFP will copy any existing EDNS0 data when forwarding internally but will not add anything. The status of the GeoLocation setting is irrelevant as it only applied to traffic passing through the Infoblox cloud.

Onprem Policy Cache (OPC) is what is used to block tunneling on DFP.

DNS forwarding proxy can process up to 10,000 concurrent DNS queries. If this limit is exceeded, the client will receive a DNS response with the response code SERVFAIL. (Documentation)

DNS forwarding proxy can serve multiple DNS queries through a single TCP connection sequentially: that is, by handling one DNS query at a time. However, if a client sends multiple queries simultaneously, the DNS forwarding proxy can establish more than one connection. The maximum number of TCP connections is tied to the maximum allowed number of concurrent DNS queries: 10,000.

DNS forwarding proxy can serve multiple DNS queries through a single TCP connection sequentially: that is, by handling one DNS query at a time. However, if a client sends multiple queries simultaneously, the DNS forwarding proxy can establish more than one connection. The maximum number of TCP connections is tied to the maximum allowed number of concurrent DNS queries: 10,000.

NIOS 8.5.4 DFP still connects to CSP as of Jan 2025.

The NIOS DFP process (Docker container) needs to resolve certain FQDN's in order to connect to cloud. The DFP process does not use NIOS configuration to choose which DNS server to use for recursion. That is a specific configuration option for DFP specified under Grid Properties > CSP Config > CSP Resolver. e.g.

• app.noa.infoblox.com
• cp.app.noa.infoblox.com
• csp.infoblox.com

NOTE: Don't set CSP Config (specifically, the Join Token) at a Grid level. That will cause all members of the Grid to join the CSP. Set it at a member level as you will likely only need GM/GMC and DNS servers to connect.

To configure DFP, you must first join the NIOS member to the CSP by adding a join token to Grid Properties > CSP Config > CSP Resolver. If the member cannot access the BloxOne Anycast DNS to resolve BloxOne domains, update the value of CSP Resolver (e.g. to the local DNS resolver if required).

DFP is a separate CoreDNS docker image that is separate to BIND. When enabled, DFP will run on 127.0.0.1:1024 and will add the following two lines to the BIND config. (replacing existing config if those lines already exist (e.g. forwarding to 8.8.8.8)

forward only;
forwarders { 127.0.0.1 port 1024; };

or (depending on whether Fallback to the default resolution process if Infoblox Threat Defense Cloud does not respond is enabled in NIOS DFP UI Config. See below for more details)

forward first;
forwarders { 127.0.0.1 port 1024; };

If, and only if, you have enabled Fallback to the default resolution process if Infoblox Threat Defense Cloud does not respond, then “forward first” is set. Keep in mind that while DFP is “HEALTHY” and BIND configuration has “forwarders { 127.0.0.1 port 1024; };” configured, it doesn't matter whether or not NIOS has global forwarders configured. Since DFP is HEALTHY, it means that the BIND configuration for forwarding/root hints recursion is overridden. Even if you have global forwarders and “forward only” configured in BIND, DFP being enabled means that is ignored. This means that DFP “fallback” will ALWAYS use root hints recursion because the global forwarding command configured in NIOS isn't readable while DFP is healthy.

If the DFP on NIOS cannot access the four Threat Defense Anycast IP addresses, it will take about a minute to detect the failure. It will then remove the two lines of config (restoring original config if applicable; such as forwarding to 8.8.8.8) above from BIND and restart BIND to use local resolution configuration. During the BIND restart, DNS is also non-responsive. While BIND is being used locally for DNS, the DFP continues to monitor the Threat Defense Anycast IP addresses. When it determines that Threat Defense Anycast DNS is available once more, it will restart BIND to redirect queries to the cloud. The restart time on BIND will cause a DNS downtime for the network. This means that the failure>back-up time is over a minute while the back-up>normal DFP time is a few seconds.

Remember, if the DFP has been configured to forward to a GEO IP, this will also be tested.

During failure, DFP will re-test the Anycast DNS every five seconds. However, it doesn't seem to be consistent in “which” of the four Anycast IP addresses it tests.

If the local NIOS is told to use forwarders but NOT “only forwards” (i.e. forward first), then if you block the forwarder, all queries slow down as the NIOS still seems to try the forwarder each time. Wait and try something not in cache. (several seconds to resolve DNS),

Note that blocking access to Threat Defense Anycast IP address doesn't stop the DFP talking to CSP for MGMT (see NIOS Firewall Rules) assuming that the “Infoblox Portal” configuration of the Grid or Member is not dependent on the Anycast IP address. The MGMT bit in Infoblox cloud runs on a separate set of IP addresses/domains.

Note, in CSP you can configure Internal Domains on the DFP service. If configured, these will be applied to NIOS. This is in addition to any forward-forward zones configured in NIOS. The order is

Client Query > DTC > RPZ > NIOS Conditional Forwarder > DFP Internal Domain Forwarder > Infoblox Cloud

This means that if NIOS has a conditional forwarder to a domain that the CSP has configured as an internal domain, the NIOS configured take priority over whatever Internal Domain forwarding is configured in CSP. This allows for more flexibility in which internal domains get forwarded to where.

When configuring internal domains for DFP in CSP, remember, if applying to NIOS and if NIOS has DNSSEC validation enabled, you must add the internal domains to the negative trust anchor list in the NIOS configuration. interestingly, the DNSKEY/DS queries for internal domain that NIOS appliances receive will be forwarded to the DFP. So local conditional forwarder is ignored for DNSSEC queries (DNSKEY/DS) even with “use forwarders only” on the conditional forwarder.

Note, in CSP you can configure “Fallback Resolver” (External Resolver if you are a federal customer) but NIOS will ignore it and use its own fallback if configured in Grid or member DNS settings (i.e. root hints or, if configured, global forwarder).

If you have the Fallback to the default resolution process if Infoblox Threat Defense Cloud does not respond option enabled in the NIOS DFP properties then if DFP returns a SERVFAIL to NIOS, NIOS will use root hints to try and resolve (if global forwarders are configured, they are ignored). You should NOT enable this feature if you also have DNSSEC validation and Trust Anchors enabled on NIOS. The reason is that an attacker may force a SERVFAIL for queries for a domain they own that come from Infoblox Cloud IP addresses. This forces NIOS to resolve the traffic locally because it can't tell the difference between SERVFAIL because the cloud is unavailable and SERVFAIL because DNSSEC validation failed for the query.

When you enable Fallback to the default resolution process if Infoblox Threat Defense Cloud does not respond, then the BIND configuration is updated (without requiring a BIND restart) from forward only

...
	forward only;
	forwarders { 127.0.0.1 port 1024; };
...

to forward first.

...
	forward first;
	forwarders { 127.0.0.1 port 1024; };
...

Note, if NIOS is using DFP (rather than “direct global forwarding” to the TD Anycast IP addresses - which isn't recommended), and if the CSP applies a “redirect” to a query because it matched a security policy rule with “Redirect” as the action, and if the query is for a domain that has DNSSEC validation enabled, and if NIOS has DNSSEC validation enabled AND has Trust Anchors enabled, then the query will fail with SERVFAIL. This is because if NIOS has DNSSEC validation enabled AND has Trust Anchors enabled, then NIOS will try and run DNSSEC validation on the answer it gets back from DFP by using root hints. NIOS will use root hints for DNSSEC validation regardless of the DFP config.

Assuming DFP is healthy:

• DNSEC Disabled (no trust anchors). Fallback Disabled. - IP answer and no log in Portal. 630 msec to resolve

DNSEC Enabled (no trust anchors). Fallback Disabled. - SERVFAIL and also SERVFAIL log in Portal. 532 msec to resolve. Response cached locally for about 5 seconds.

• DNSEC Enabled (no trust anchors). Fallback Enabled. - IP answer and no log in Portal. 630 msec to resolve
• DNSEC Disabled (no trust anchors). Fallback Enabled. - IP answer and no log in Portal. 630 msec to resolve

If a NIOS member is HA, make sure to add both nodes of the member to CSP and to enable a DFP service for BOTH nodes. If you don't, only the node with the DFP service can use DFP. If that node is becomes passive, then the active node will process DNS without DFP. WARNING: be sure to be careful when naming the host instances in the Infoblox Portal. Match the serial numbers to the actual NIOS serial numbers to make sure you don't mix up node A and node B as that just leads to confusion down the line.

When using DFP, NIOS uses the LAN1 port to establish DoT on TCP-443 to Infoblox Anycast. This is true EVEN IF THE NIOS is HA. NIOS will not use the HA VIP for TCP-443. However, any plaintext queries will come from the HA VIP.

During HA failover, queries dropped for about 15 seconds in my lab.

Internal Domains configured in CSP are only honoured if “Internal Resolver” is configured in DFP service instance of the NIOS appliance in the CSP. Ideally, internal domains hitting NIOS should be processed by native “conditional fowarders” in NIOS rather than being processed by DFP.

When you join a NIOS member to the CSP, it may take 5-10 minutes to register fully.

“Local On-Prem Resolution” in security policy only applies to DFP on NIOS-X. Not DFP on NIOS. Not Infoblox Endpoint. Not External Networks.

When you run a file of dig queries against a NIOS DFP, if you stop and start again, you get responses from cache. If you have two NIOS-X DFP only servers and run one against the first DFP and then run the same against the second DFP, the DNS auth server gets both messages. This indicates the cache is in local NIOS itself.

If you have an IPAM based security policy in DFP (or local RPZ configured based on source IP), cache may will allow a client to bypass the security policy. If Client A is blocked from resolving example.com, then if Client B resolves example.com, it will be in cache and, while still in cache, Client A can resolve example.com. You can work around this by updating that NIOS member running DFP with a Max Cache TTL of something short (e.g. 1 second). This is done in the NIOS UI > Data Management > DNS > Members/Servers > Edit Member > General > Advanced > Max Cache TTL set value to 0.

Once the NIOS DFP realises that it can't reach the BloxOne Anycast DNS, it will generate the following RED message in the NIOS GUI:

NIOS/DFP Service has failed. Cloud/DFP is unhealthy.

And the following error in SYSLOG

• Facility = user
• Level = ALERT
• Server = monitor[1145192]
• Message = Type: DFP, State: Red, Event: NIOS/DFP Service has failed. Cloud/DFP is unhealthy. state change from 140 to 141

Once the NIOS DFP starts, it generates log

NIOS/DFP Service is starting. Cloud/DFP is healthy. state changes from 141 to 143

And the following error in SYSLOG

• Facility = user
• Level = ERROR
• Server = monitor[8704]
• Message = Type: DFP, State: Yellow, Event: NIOS/DFP Service is starting. Cloud/DFP is healthy. state changes from 141 to 143

NOTE: There doesn't seem to be a syslog for when the fail-back-to-DFP action takes place

If you have LAN2 connected to Internet and you have LAN1 connected to internal network, and if LAN1 does not have internet access, you will need to add static routes to a NIOS appliance to get DFP working correctly. Specifically,

• 52.119.40.100/32
• 52.119.41.100/32
• 103.80.5.100/32
• 103.80.6.100/32
• 3.209.116.255/32
• 3.210.226.54/32
• 3.212.42.44/32
• 3.214.29.106/32
• 3.214.194.152/32
• 3.213.214.20/32
• 18.209.243.220/32
• 18.233.189.178/32
• 18.235.149.1/32

Palo Alto Networks Prisma Access DNS Proxy can be configured to use Infoblox B1TD public IP for external DNS recursion.