Saucepan

User Tools

Site Tools

Trace: dfp endpoints geolocation
infoblox_threat_defense:geolocation

This is an old revision of the document!

BloxOne Geolocation

Geolocation Service providers such as Google, Infoblox, etc, will only forward ECS data to an authoratative DNS server if that domain being queried is in the list of ECS zones.

  • For Infoblox, this list is mostly services Google, YouTube, SalesForce, Netskope, etc. MIcroosft doesn't support ECS.
  • Infoblox forwards the /24 when forwarding ECS data.
  • When using an BloxOne Endpoint, the public IP is the one that BloxOne Cloud sees as the source IP. i.e. the public IP that the BloxOne Endpoint is source NAT'd behind.
  • When using an External Network, the public IP is the External Network being used.
  • When using a DFP, the public IP used is the public IP that BloxOne has associated with that DFP. i.e. the public IP that the DFP is source NAT'd behind.

Geolocation support uses the EDNS0 ECS (ENDS client subnet) option to pass the public /24 subnet of your IP address to a third-party DNS server. This allows ECS enabled third-party DNS servers to provide appropriate answers based on the geolocation of the source user and direct users to the closest instance of the DNS record being queried.

BloxOne Threat Defense provides the option of enabling or disabling geolocation on a per-policy basis, which means the geolocation configuration affects the entire network scope configured for a specific policy. Enabling geolocation for a security policy exposes the public /24 subnet of a DFP, External Network or BloxOne Endpoint to the authoritative DNS server. If you do not want to expose the public /24 subnet to external DNS name servers, do not enable geolocation when you configure a security policy. Geolocation is disabled by default, and new policies will inherit the geolocation configuration of the default policy.

Note: Infoblox maintains a list of domains that support geolocation-based responses. BloxOne Threat Defense will only forward public /24 subnet ECS data to domains that are on this list. Queries for domains that are not on this list will not have ECS data forwarded regardless of whether geolocation is enabled or not. If you encounter issues while configuring geolocation, contact Infoblox Technical Support.

Google's page on ECS

Most of the domains don’t support ECS (i.e. No ECS supported by the domain auth server). From security perspective, it is not a good idea to share ECS with everyone, including malicious actors.

There is a performance impact on the cache layer due to the overload of the domains in the ECS list. End users shouldn’t really care/know about that.

Testing

  • 3dzip.org
  • www.youtube.com
  • outlook.office365.com
  • infoblox.lightning.force.com
  • outlook.office365.com
dig +short @8.8.8.8 +subnet=41.33.12.0/24 3dzip.org
infoblox_threat_defense/geolocation.1735312254.txt.gz · Last modified: by bstafford