The thing to know about BloxOne Threat Defense is that you can use DIG to get data on what is being resolved using

dig @52.119.41.100 <DOMAIN_YOU_WANT_DATA_ON>.debug.infoblox.com ch txt

DOMAIN=google.com
dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep CAT
dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep APP

DOMAIN=google.com
alias ibcat='dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep CAT'
alias ibapp='dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep APP'


ibcat() {
    dig @52.119.41.100 $1.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep CAT
}
ibapp() {
    dig @52.119.41.100 $1.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep APP
}

nslookup -type=txt -class=chaos outlook.office365.com.debug.infoblox.com 52.119.41.100

Also know that *.infoblox.com and ntp.ubuntu.com are on the PASSTHRU list in the cloud which means it is expected that the Web Category comes back as Unknown - not because it is actually unknown but because the web categorisation engine doesn't process it.

set expertmode on
dig @127.0.0.1 -p 1024 google.com
dig @127.0.0.1 -p 1024 google.com.debug.infoblox.com ch txt

dig @127.0.0.1 A my-ip.debug.infoblox.com

The TXT includes the region

dig @127.0.0.1 TXT my-ip.debug.infoblox.com

To see what region you are using

dig @52.119.41.100 TXT my-ip.debug.infoblox.com | grep TXT | grep 0 | awk -F "\""  '{print $2}' | awk -F "/" '{print $2}'

dig @52.119.41.100 google.com.debug.infoblox.com ch txt

;; ANSWER SECTION:
csp.infoblox.com.debug.infoblox.com. 0 CH TXT   "Ident: eu-west-2/coredns-5dc6c84d54-nmzjs" "Passthrough: yes"

dig @52.119.41.100 ntp.ubuntu.com.debug.infoblox.com ch txt

;; ANSWER SECTION:
ntp.ubuntu.com.debug.infoblox.com. 0 CH TXT     "Ident: eu-west-2/coredns-c75744d56-n8xbb" "Passthrough: yes"

NSlookup is

nslookup
server 52.119.40.100
set class=chaos
set type=txt
login.microsoftonline.com.debug.infoblox.com

dig @52.119.41.100 outlook.office365.com.debug.infoblox.com ch txt

to get

Ident: eu-west-2/coredns-c123123aa-aaaaa
 
PDP response 
{
	Effect: Permit, 
	Obligations: 
	[
		policy_action: allow, 
		ttype: 1, 
		tag: APP_Microsoft Outlook, 
		policy_id: 012345ab, 
		customer_id: 123456780abcdefg1234567890abcdef, 
		revision: 01234, 
		ecs: 1, 
		all_tags: \"CAT_Web-based Email\",\"APP_Microsoft Outlook\"
	]
}

Domain resolution: resolved

PDP response 
{
	Effect: Permit, 
	Obligations:
	[
		policy_action: allow, 
		ttype: 1, 
		tag: APP_Microsoft Outlook, 
		policy_id: 012345ab, 
		customer_id: 123456780abcdefg1234567890abcdef, 
		revision: 01234, 
		ecs: 1, 
		all_tags: \"APP_Uncategorized\"
	]
}

PDP response 
{
	Effect: Permit
	Obligations: 
	[
		policy_action: allow, 
		ttype: 1,
		tag: APP_Microsoft Outlook, 
		policy_id: 012345ab, 
		customer_id: 123456780abcdefg1234567890abcdef, 
		revision: 01234, 
		ecs: 1, 
		all_tags: \"APP_Uncategorized\"
	]
}

PDP response 
{
	Effect: Permit, 
	Obligations: 
	[
		policy_action: allow, 
		ttype: 1, 
		tag: APP_Microsoft Outlook, 
		policy_id: 012345ab, 
		customer_id: 123456780abcdefg1234567890abcdef, 
		revision: 01234, 
		ecs: 1, 
		all_tags: \"APP_Uncategorized\"
	]
}

PDP response 
{
	Effect: Permit, 
	Obligations: 
	[
		policy_action: allow, 
		ttype: 1, 
		tag: APP_Microsoft Outlook, 
		policy_id: 012345ab, 
		customer_id: 123456780abcdefg1234567890abcdef, 
		revision: 01234, 
		ecs: 1, 
		all_tags: \"APP_Uncategorized\"
	]
}

and

tracert -d 52.119.41.100

In a tech support file, run the following on iptables.txt (note the two spaces). to find the list of Grid Members that are not the GM.

cat iptables.txt | grep "LOGACCEPT  all"

Disable STP, Trunking, EtherChannel, IGMP Snooping, DHCP Snooping, Port Channeling.

To show detected DNS threats in the NIOS Logs (Administration > Logs > Syslog > View Member), apply the following filters

• Server equals DNS
• Message contains CEF

To show DNS queries that worked from a specific client

• IN AAAA response: NOERROR
• IN A response: NOERROR
• client 192.168.99.216

To show DNS queries that worked from a specific client

• IN AAAA response: NXDOMAIN
• IN A response: NXDOMAIN
• client 192.168.99.216

To Show Dynamic DNS

• Added reverse map
• Added reverse map

To Show Renew Requests

• RENEW

DHCPDISCOVER from 10:0b:a9:11:11:11 via <DHCP RELAY IP> TransID 13c8cab7
DHCPOFFER on <OFFERED IP> to 10:0b:a9:11:11:11 (HOSTNAME) via eth1 relay <DHCP RELAY IP> lease-duration 119 offered-duration 3600
r-l-e:192.168.1.123,Issued,HOSTNAME,10:0b:a9:11:11:11,1644784034,1644787634,505,$default,192.168.99.192,27,192.168.99.194-192.168.99.222
DHCPREQUEST for <OFFERED IP> from 10:0b:a9:11:11:11 (HOSTNAME) via <DHCP RELAY IP> TransID 13c8cab7
DHCPACK on <OFFERED IP> to 10:0b:a9:bc:11:11 (HOSTNAME) via eth1 relay <DHCP RELAY IP> lease-duration 3600

Added reverse map from 11.1.168.192.in-addr.arpa. to hostname.example.com
Added new forward map from hostname.example.com to 192.168.1.11

DHCPDISCOVER from 10:0b:a9:11:11:11 via <IP OF RELAY> TransID 13c8c111: load balance to peer NAME-OF-FAILOVER-ASSOCIATION (1601720004ps)
DHCPREQUEST for <REQUESTED IP> (IP of DHCP Peer Server) from 10:0b:a9:11:11:11 via <IP OF RELAY> TransID 13c8cab7 uid 01:00:04:30:11:11:11: lease owned by peer

DHCPREQUEST for 192.168.1.11 from c6:38:38:11:11:11 (HOSTNAME) via eth1 TransID b1e9a111 uid 01:c6:38:38:11:11:11 (RENEW)
DHCPACK on 192.168.1.11 to c6:38:38:11:11:11 (HOSTNAME) via eth1 relay eth1 lease-duration 3600 (RENEW) uid 01:c6:38:38:11:11:11

Reverse map update for 192.168.1.11 abandoned because of non-retryable failure: REFUSED
Unable to add forward map from hostname.domain.com to 192.168.1.11: REFUSED

Reverse map update for 192.168.1.11 abandoned because of non-retryable failure: NXRRSET
Forward map from hostname.domain.com to 192.168.1.11 FAILED: Has an address record but no DHCID, not mine.

DHCPRELEASE of 192.168.11.11 from 10:0b:a9:11:11:11 (HOSTNAME) via eth1 (found) TransID 21881111