INFOBLOX

Infoblox DDI NIOS:  

  • DDI – DNS, DHCP, IPAM 

  • ON PREMISE Solution 

  • All boxes consisting this solution are hosted on your datacenter, we are controlling all devices from the manager on our datacenter 

  • Comes in physical form or virtual form 

 

Infoblox BloxOne DDI “CSP.Infoblox.com”:  

  • Same services introduced by the above solution but the manager and main components are hosted on the cloud 

 

Infoblox BloxOne Threat Defense On Premise:  

  • A complete DNS security suite hosted on the DDI NIOS Via specific licenses 

 

Infoblox BloxOne Threat Defense cloud “CSP.Infoblox.com”:  

  • A complete DNS security suite hosted on the cloud on the same platform of BloxOne 

 

Appliance description: 

 

 

On/Off SW – Power SW 

Power Led –  Glows red -> Error in power 

|PM| Port – Infoblox LOM (Lights Out Management) is an implementation of the remote management and monitoring of Infoblox appliances  

Console – Command line interface  

USB port – Future Use  

MGMT Port – Appliance Management Or DNS service 

LAN1 – Handling traffic 

LAN2 – Disabled by default but could be used  

HA Port –  VRRP HA configuration  

UID – Helping knowing node in rack through its blue light  

 

Infoblox Grid: 

  • A grid is a group of Infoblox services devices that are forming the full solution of Infoblox DDI 

  • All grid members are linked together using the grid, databases are synchronized between all members 

  • A grid member: 

    • Each appliance or virtual platform is considered a member in the grid  

    • We could have single NIOS appliance OR HA bundle 

  • Grid Roles: 

    • Grid Master: Appliance that you will use to log in into the web GUI for administration you grid 

    • Grid Master Candidate: Appliance that could be promoted to be the grid master in case of the grid master failed, Receives the full DB from the master 

    • Normal Grid Member: Appliance that introduce a specific service for the hosted network like DNS, DHCP or other core services 

    • Reporter: Collecting data from Infoblox members to generate reports and analytics 

    • Network Insight: Adds more network information to IPAM collected data 

  • Grid Communication: Grid members communicates with each other’s through a VPN tunnel on two main ports 

    • UDP 2114 for exchanging keys 

    • UDP 1194 default VPN port number 

  • Database Synchronization: BloxSYNC will be used as a synchronization method between all the grid members 

    • BloxSDB: DB is an built-in XML DB used for each member 

    • Synchronization of DB will be partial for each normal grid member according to its function while might be full between the grid master and the candidate 

 

 

 

Network Configuration: 

  • This is common for all members/nodes 

  • Login with default creds – admin/infoblox 

 

>show network To see the network configuration 

 

>set network To set below 

  • IP address 

  • Subnet mask 

  • Default Gateway 

  • VLAN tag (if required) 

  • IPv6 settings (if required) 

  • Become grid member (yes or no) 

Note: node will restart to update network configuration 

 

>ping <gw ip> To check gateway reachability 

 

>show interface 

 

Management Network Configuration: 

>set interface mgmt 

  • Enable Management port – yes 

  • Mgmt IP address 

  • Mgmt netmask 

  • Mgmt gateway 

  • Ipv6? – no 

  • Restrict support and remote console access to mgmt port? 

 

>show interface 

 

 

Icons: 

Grid Master –  

Grid Candidate: 

Grid Member:  

Reporter: 

 

Device model License configuration: 

>set temp_license 

  • Select 4 (Add NIOS license) 

  • Select the number again according to the model for Grid master/DDI/Reporter 

Note: node will restart to update license 

 

>show license 

 

Grid Manager/DDI License configuration: 

>set temp_license 

  • Select 2 (DNSone with Grid (DNS, DHCP, GRID)) 

  • DNS, DHCP, GRID license will be installed 

  • Grid license is required because DDI/candidate will be member of grid 

Note: node will restart UI 

 

>show license 

 

 

Reporter License configuration: 

>set temp_license 

  • Select 2 (Add Grid license) – because it will be member for the grid  

Note: node will restart UI 

 

>set temp_license 

  • Select 3 (Add Reporting license) – because it will be member for the grid  

 

>show license 

 

To see License from GUI: 

  • Access the Grid manager IP (https://<ip>/) using browser 

  • Login using admin/infoblox 

  • Grid –> Licenses, below are feature 

    • Grid – Enables the node to join the Grid, and receives instructions from the grid manager/master 

    • NIOS – To set the model of the node 

    • DNS – To introduce DNS service for the users 

    • DHCP – To introduce DHCP service for the users 

    • Reporting – To have reporting enabled 

      • Reporting license enables “Reporting” tab on top (blue background) 

 

 

Configuring Grid Manager/Grid Master: 

  • Access the IP (https://<ip>/) using browser 

  • Login using admin/infoblox 

  • Grid –> Grid Manager –> Toolbar –> Grid Properties –> Setup Wizard 

  • Select “Configure a Grid Master” and click Next 

  • Update Grid Name, shared secret, Hostname, IPv4/IPv6, HA Pair and click Next  

 

Note: Grid Name and shared secret are required in CLI for DDI/Reporter/Master Candidate when they are joining Grid manager  

 

  • Verify the IP address setting and update if required and click Next 

  • Set admin password if required and click Next 

  • Set NTP as required and click Next 

  • Review the configuration and click Finish 

 

Grid Master Candidate joining the Grid: 

  • Access the Grid manager IP (https://<ip>/) using browser 

  • Login using admin/infoblox 

  • Grid –> Grid Manager –> Members –> click to Add 

  • Select Member type: Infoblox (physical) or Virtual Nios 

  • Update Host Name, Time Zone as required  

  • Check “Master Candidate” and click Next 

  • Type of member (standalone or HA pair) 

  • Update the IP address of Master candidate, subnet mask, gateway and click Next 

  • Update Extensible attributes if required and click Save & Close 

 

Login to Grid Candidate CLI: 

>set membership 

  • Enter new grid master VIP: <ip of Grid manager> 

  • Grid name <select the name which was configured in Grid manager config> 

  • Shared secret 

 

Note: Node will restart to join the Grid 

 

>show status To see Grid status, HA status, Hostname, Grid Master IP 

 

  • Access the Grid manager IP (https://<ip>/) using browser 

  • Login using admin/infoblox 

  • Grid –> Grid Manager –> Members 

  • Candidate Node status should be Running (Refresh the screen if required) 

 

DDI joining the Grid: 

  • Access the Grid manager IP (https://<ip>/) using browser 

  • Login using admin/infoblox 

  • Grid –> Grid Manager –> Members –> click to Add 

  • Select Member type: Infoblox (physical) or Virtual Nios 

  • Update Host Name, Time Zone as required and click Next 

  • Type of member (standalone or HA pair) 

 

If we HA Pair, we require unique VRID and five IP addresses to setup HA 

Refer “Grid Member High Availability 

 

  • Update the IP address of DDI, subnet mask, gateway and click Next 

  • Update Extensible attributes if required and click Save & Close 

 

Login to DDI CLI: 

>set membership 

  • Enter new grid master VIP: <ip of Grid manager> 

  • Grid name <select the name which was configured in Grid manager config> 

  • Shared secret 

 

Note: Node will restart to join the Grid 

>show status To see Grid status, HA status, Hostname, Grid Master IP 

 

  • Access the Grid manager IP (https://<ip>/) using browser 

  • Login using admin/infoblox 

  • Grid –> Grid Manager –> Members 

  • DDI Node status should be Running (Refresh the screen if required) 

 

Reporter joining the Grid: 

  • Access the Grid manager IP (https://<ip>/) using browser 

  • Login using admin/infoblox 

  • Grid –> Grid Manager –> Members –> click to Add 

  • Select Member type: Infoblox (physical) or Virtual Nios 

  • Update Host Name, Time Zone as required and click Next 

  • Type of member (standalone or HA pair) 

  • Update the IP address of Reporter, subnet mask, gateway and click Next 

  • Update Extensible attributes if required and click Save & Close 

 

Login to Reporter CLI: 

>set membership 

  • Enter new grid master VIP: <ip of Grid manager> 

  • Grid name <select the name which was configured in Grid manager config> 

  • Shared secret 

 

Note: Node will restart to join the Grid 

>show status To see Grid status, HA status, Hostname, Grid Master IP 

 

  • Access the Grid manager IP (https://<ip>/) using browser 

  • Login using admin/infoblox 

  • Grid –> Grid Manager –> Members 

  • Reporter Node status should be Running (Refresh the screen if required) 

 

Enabling services: 

  • Access the Grid manager IP (https://<ip>/) using browser 

  • Login using admin/infoblox 

  • Grid –> Grid Manager, click DHCP 

    • Check the member – DDI, and click start icon to start the DHCP service on this node 

 

  • Grid –> Grid Manager, click DNS 

    • Check the member – DDI, and click start icon to start the DNS service on this node 

 

  • Grid –> Grid Manager –> Toolbar –> NTP 

    • Check “Synchronize the Grid with these External NTP servers” 

    • Click + to add NTP servers 

    • Give IP or FQDN and click Add 

    • Click Save & Close 

  • Grid –> Grid Manager, click NTP 

    • Check all the members, and click start icon to start the DNS service on all the nodes 

 

  • Grid –> Grid Manager –> Reporting –> Toolbar –> Grid Reporting properties 

    • Enable Data Indexing 

    • Select the required services to include in reporting 

  • Grid –> Grid Manager, click Reporting 

    • Check all the members, and click start icon to start the DNS service on all the nodes 

Note: Service restart (as we have enabled DNS, DHCP, NTP services) will be required after enabling reporting on all the members, click Restart (notification (yellow bar) will come on top of the screen) for the same 

 

Grid Candidate switch to Grid Master: 

Candidate> set promote_master 

  • Notification will come for delay 

  • Delay notification default value is 30 seconds, can be changed 

  • Both Grid master and Grid candidate restarts 

 

>show status To see Grid status, HA status, Hostname, Grid Master IP 

 

Grid Member High Availability: 

  • The member inside the grid could be standalone or an HA pair 

  • Two nodes that form HA will be working as active/passive 

  • The active node is the node who processes all the traffic and passive node keeps its database synchronized with the active node 

  • HA requires a pair to pair connection between the nodes forming the HA 

  • HA requires five ip addresses to form the HA bundle 

    1. One for LAN1 on the first node 

    2. One for LAN1 on the second node 

    3. One for HA interface on the first node 

    4. One for HA interface in the second node 

    5. One considered as VIP “VRRP” to receive data traffic and transports to the active node 

  • If the passive node misses 3 announcements from the active node, it will consider himself as the active node 

  • Passive listens to announcements with the correct Virtual Router ID (VRID). VRID is between 1-255, this has to be unique. 

  • By using BloxSYNC the active node continuously replicates its database to passive node  

  • The grid master synchronizes database with the active node and then the active node will synchronize it’s database with the passive node 

 

Grid –> Grid Manager –> select the HA member –> Toolbar –> Control –> Force HA Failover 

 

Grid Operations: 

  1. Restart Services: If we do changes on any service, we have to restart services 

    • Generally Notification (yellow bar) will come on top of the screen, click Restart 

    • Changes will not be applied, if we click ignore  

    • We can restart manually at Grid –> Grid Manager –> Restart services 

      • If needed – only pending changes 

      • Force service restart – without any pending changes 

  2. Control Operations: Grid –> Grid Manager –> select any member –> Toolbar –> Control 

    • Restart – services and software of the node 

    • Reboot – complete reboot 

    • Shutdown 

    • Force HA failover 

    • Restart GUI 

  3. Backup: Grid –> Grid Manager –> Toolbar –> Backup 

    • Grid Backup: 

      • Manual Backup 

      • Schedule Backup 

      • Manage Local Backup 

    • Reporting Backup 

    • DTC Backup 

  4. Restore: Grid –> Grid Manager –> Toolbar –> Restore 

    • Restore Grid 

    • Restore Reporting 

    • Restore DTC 

  5. Snapshot: Grid –> Grid Manager –> Toolbar –> Snapshot 

    • It’s for the database 

    • Create 

    • Rollback 

  6. GMC Promote Test: Grid –> Grid Manager –> Toolbar –> GMC Promote Test 

    • Select GMC (Grid Master Candidate) 

    • Select the members 

    • Click start 

    • Click “GMC Promotion Test Results” to see Grid communication result 

    • Grid Communication: Grid members communicates with each other’s through a VPN tunnel on two main ports 

      • UDP 2114 for exchanging keys 

      • UDP 1194 default VPN port number 

  7. Traffic Capture: Grid –> Grid Manager –> Toolbar –> Traffic Capture 

    • Click + to add member and select member 

    • Select the interface for that member 

    • Give seconds to capture traffic for 

    • Click play button under Capture control 

    • Click stop button under capture control once captured 

    • Select member and Click Download 

    • It is a pcap file and can be opened via Wireshark 

  8. Support Bundle: Grid –> Grid Manager –> click any service DNS or DHCP etc. –> select any member –> Toolbar –> Download –> Support bundle 

    • Select the options as required and click Ok 

    • It automatically downloads to the computer 

  9. Export: Grid –> Grid Manager –> members –> Click Export icon 

    • Export visible data: This is for our reference 

    • Export members data in Infoblox CSV Import Format: This is to import into infoblox if required 

  10. Import: Grid –> Grid Manager –> Toolbar –> CSV Import 

    • Type of Import: Select any one from below as required and click Next 

      • Add 

      • Override 

      • Merge 

      • Delete 

      • Custom 

    • Upload the CSV file (exported in Infoblox CSV format) 

     

Administration Components: Administration –> Administrators 

Role: A pre-defined set of permissions, by default there are multiple roles that you can choose to be assigned to your groups like DHCP admin, DNS admin, DTC admin etc. 

 

Admin Group: Contains the permissions assigned through it directly or through the role. It’s the container of the admin accounts 

  • Superuser: No Role, Superuser admin groups provide their members with unlimited access and control of all the operations that a NIOS appliance performs/ User in this group can access the appliance through GUI, CLI or API 

  • Limited Access: Based on the Role, Limited-access admin groups provide their members with read-only or read/write access to specific resources. User in this group can access the appliance in GUI or API only 

 

Note: if we are configured remote authentication as AD in authentication server groups, then Admin Group name should be same as the group name configured in AD server, and map the remote admin group to local group in Authentication policy 

 

Admin Account: The account that we will create to be included into a group to have specific permissions 

Account Authentication: 

  1. Locally 

  2. Remotely “Account & Password” 

  3. Remotely “Password” 

 

Permissions: Two main methods for creating permissions 

  • Permissions are created based on Groups or Roles 

  • Select Group or Role 

  • Click + under Local-Group permissions to see below options 

  • Global Permissions to see Group or Role permissions 

    • Select permission Type for Group or Role with Actions (Read Only, Read/Write & Deny) 

  • Object Permissions to see Group or Role permissions 

 

For any local user: 

Role –> called out in Admin Group (if not super user) 

Admin Group –> called out in Admins 

 

For AD authentication: 

Admin group same as local group in AD server 

Admin Group –> called out in Authentication policy (remote to local mapping) 

 

Remote Authentication: 

  • When we configure the authentication type as “remote”, NIOS authenticates admins whose user credentials are stored remotely on authentication servers 

  • Infoblox can authenticate user against multiple remote servers ( AD , LDAP , RADIUS , TACACS+ , OCSP , SAML ) 

 

Administration –> Authentication Server Groups 

 

Note: if we are configured remote authentication as AD in authentication server groups, then Admin Group name should be same as the group name configured in AD server, and map the remote admin group to local group in Authentication policy 

 

 

Authentication Policy: Administration –> Administrators –> Authentication policy 

  • How to authenticate users in sequence 

  • By default, first one is local user database 

  • Click + to see Authentication services (AD, LDAP etc.) and click Add 

  • If user is not found in local database, then infoblox will check in the added authentication service 

  • Map the remote admin group to the local group in this order: 

    • Click + to add the created admin group  

 

Upgrade: 

Full Upgrade: Includes changing to the database schema, we must follow the needed path for this upgrade 

Lite Upgrade: Changes to the grid software only, like patching 

  • Note: Manual upgrade upgrades all the members simultaneously 

 

Scheduling Updates: we can schedule the update to minimize the burden on the administrator 

  • Note: Scheduled upgrade does upgrade one by one sequentially 

 

Restrictions During Updates: Avoid making changes during upgrade. We can’t do some stuff during upgrading like Member properties, Deleting DNS views, Setting time zone etc/.  

  • Obtain the new software from the support site https://support.Infoblox.com –> Downloads 

  • The NIOS software download contains the entire operating system in an encrypted datafile 

 

Manual Process: 

  • Grid –> upgrade 

  • Click upload to upload the software 

  • Click distribute to send the software to all the members 

  • Click Test to see any errors before upgrading 

  • Click Upgrade  

 

Schedule Process: 

  • Grid –> upgrade 

  • Click upload to upload the software 

  • Click distribute to send the software to all the members 

  • Click Test to see any errors before upgrading 

  • Click Upgrade schedule (on top)  

    • Set the date and time 

    • Click “Active upgrade schedule” 

    • Select the option under Start Upgrade to see below options in any Group Name 

      • Date/Time 

      • After Grid Master 

      • After Default (default is group name) 

      • After xxxx (xxx is all group names) 

 

Note: Each member will be added in group at the time of Adding a member to grid 

 

Click Toggle Group View to create a group (Grid –> Upgrade –> Toggle Group View) 

  • Click + to add a group 

  • Select distribute to members (simultaneously or sequentially) 

  • Select Upgrade members (simultaneously or sequentially 

  • Click Next 

  • Add members 

 

Upgrading HA Bundle: Zero Down Time 

 

DHCP Inheritance: Data Management –> DHCP 

  • Inheritance: Grid DHCP Properties (Member (Network (Range/Fixed IP address (Filter)))) 

  • We can override at any step 

 

  • Grid DHCP Properties: DHCP –> Toolbar 

  • Members: DHCP –> Members –> Members 

  • Network: DHCP –> Networks –> Networks 

  • Range/Fixed: DHCP –> Networks –> Networks –> click Any Network 

  • Filter: DHCP –> IPv4 Filters 

 

Note: if we don’t change anything on the Member, Network will have properties same as Grid. If we do override some setting on mMember, Network will have Member properties 

 

Grid DHCP Properties: 

Authoritative: Enable this option for Infoblox to assign IP addresses to users 

Lease Time: How many days Ip should be assigned 

Fingerprinting: To identify the clients 

IPv4 DHCP Options:  

Router: For all the users at grid level (gateway) 

Domain name 

DNS servers 

Custom DHCP Options: if we have to call out the options which we set in DHCP –> option spaces 

IPv4 DDNS: update DNS using DHCP through option 81 

IPv4 DHCP Thresholds: To send the notification to administrator about DHCP IP address exhaustion 

IPv4 Filters: To add filter for IPv4 address assignment 

 

Note: Generally all these properties will be inherited by the member and these properties can be changed at the member level as well by doing override on each option 

 

Creating a Network: Data Management –> DHCP –> Networks –> Networks 

  • Click + to create a IPv4 network 

  • Select Add Network and click next 

  • Update netmask, network and click next 

  • Choose Members 

  • Lease Time, Router, Domain name, DNS servers will be inherited from Member 

    • Router section may require override, because each network will have different gateway 

    • If Domain name is different for this network 

  • Assigned VLANs – select VLANs if required and click Next 

  • Extensible Attributes if required and click Next 

  • Click Save and Close 

 

Note: Service Restart service is required 

 

  • Once network is created, we have to create a range 

  • Click the network to enter inside the network 

  • Click + to create a  

    • Range for DHCP IP reservation 

    • Host for DNS 

    • Fixed address for a specific client (based on MAC), lease time is permanent 

    • Reservation to exclude some IP address from Range for not to assign anyone and can be used to reserve static hosts like printer, servers etc. 

 

DHCP Exclusion range:  

  • To Exclude some IPs within the range we create in DHCP network 

  • Data Management –> DHCP –> Networks –> Networks –> open any network and then Range –> Click + and click Exclusion range 

  • This is Range (Exclude) within Range which needs to be excluded for DHCP assignment 

 

How to monitor Leases: 

  • Data Management –> DHCP –> Leases –> Current Leases 

  • This will show finite leases, which will expire 

 

Lease History: 

  • Data Management –> DHCP –> Leases –> Lease History 

  • This will help to investigate past DHCP leases like which system got the IP addresses etc 

  • This has to be enabled in Grid DHCP properties (in Toolbar) 

    • Click Logging  

    • Check “Enable Lease History” under Lease logging 

    • Click Save & Close 

  • Restart services is required  

 

IPv4 Filter: 

  • It is like a policy that we will apply at the level of DHCP server to identify what are the main clients that should pull an IP address from the DHCP and what shouldn’t  

  • Data Management –> DHCP –> IPv4 Filters –> Click + to add 

    • IPv4 MAC Address Filter 

      • Once Filter is created, we have to add MAC addresses under this filter (click Filter –> click + to add MAC Address) 

    • IPv4 Option Filter 

    • IPv4 NAC Filter 

    • IPv4 Relay Agent Filter 

    • IPv4 Fingerprint Filter 

  • Apply the filter in Network Range  

    • Edit the Range 

    • Click IPv4 Filters in the left pane 

    • Click + under Class Filter List 

    • Add the created filter and select Action (Grant Lease OR Deny Lease) 

    • Click Save & Close 

  • Restart services is required  

 

Extensible Attributes: 

  • It is a simply some metadata that we can apply and assign to our client and infoblox grid 

  • Attributes like client name, department, location etc. 

  • We can export Infoblox csv format and import after filling the data 

  • Administration –> Extensible Attributes 

  • There are multiple types for the Extensible Attributes which are List, Email, Integer, string, URL, Date 

  • When creating Extensible Attributes we have 3 options 

    • Required 

    • Recommended 

    • Optional 

 

Task Manager: 

  • If we have scheduled anything, that will show up here 

  • Administration –> Workflow –> Task Manager 

  • We can select the task and we can click Execute Now OR Reschedule in the Toolbar OR delete the task itself 

  • There is an option called Approve/Reject in the Toolbar for each task 

  • This above option is used when we have a team who will create scheduled tasks and admin group will approve the task 

  • We can create workflow (Workflow –> Approval workflows) 

    • Select the submitter group 

    • Select the Approver group 

    • Click Save & Close 

 

DHCP Failover: Data Management –> DHCP –> Members/Servers –> IPv4 DHCP Failover Associations 

  • When we set up a failover association, we greatly reduce DHCP service downtime if one of our DHCP servers is out of service 

  • We can better manage IP address requests by making two servers available for DHCP services 

  • They share a pool of IP addresses that they allocate to hosts on their networks based on load balancing 

  • Load balancing is a technique to split the address allocation workload evenly across the two DHCP servers 

  • A DHCP failover association can serve DHCP ranges that belong to one network view only. It cannot serve ranges in different network views 

 

  • When a host broadcasts a DHCPDISCOVER message, it includes its MAC address. Both the primary and secondary peers receive this message. To determine which server should allocate an IP address to the host, they each extract the MAC address from the DHCPDISCOVER message and perform a hash operation. Each server then compares the result of its hash operation with the configured load balancing split. The split is set to 50% by default to ensure an even split between the two servers. When the split is 50%, the primary server allocates the IP address if the hash result is between 1 and 127, and the secondary server allocates the IP address if the hash result is between 128 and 255. As a server allocates an IP address, it updates its peer so their databases remain synchronized 

  • To make both nodes in the DHCP failover stable they need to be synchronized because there are some timers working like the lease time 

 

 

DNS resolver: 

  • To make the Grid members (Grid Manager, Candidate etc.) resolves their dns queries from grid DNS 

  • Grid –> Grid Manager –> Tool bar –> Grid Properties 

  • Click DNS Resolver in the left pane and check “Enable DNS Resolver” 

  • Click + to add the DNS server IP (Member IP enabled in DNS section/where DNS license is installed) 

  • Click Save & Close 

 

Named ACLs: Administration –> Named ACLs 

  • We can create ACE’s (Access Control Element) 

  • This is required to add in Grid Member to allow the traffic to be queried from specific subnet 

  • So if we add IPv4 network in the ACL, only that subnet will be able to query our Grid Member/DNS server 

  • All other IPs will not able to query 

    • Data Management –> DNS –> Members/Servers 

    • Select member and click Edit 

    • Select Queries in the left pane to add the ACL 

    OR 

    • Data Management –> DNS –> Members/Servers –> Toolbar –> Grid DNS Properties 

    • Select Queries in the left pane to add the ACL 

    Note:  

    • Members will inherit from the Grid DNS Properties 

    • Zones will inherit from the members 

    • Records inside the zone will inherit from the zone 

 

DNS Forwarder:  

  • It means, if the dns server does not have the answer (IP), it will forward the dns traffic to another dns server to share the answer (IP) to reply to the user 

  • By default, forwarder will be root server for a member 

  • Select member and click Edit 

  • Select Forwarders in the left pane (Generally, it inherits from Grid DNS Properties) 

  • Click override to add forwarders 

     

 

Name Servers: Data Management –> DNS –> Name Server Groups 

  • This is required to include multiple DNS servers in one group like primary, secondary, tertiary name servers 

  • We can add our own DNS server (Grid Members) and External DNS servers as well 

  • Types: 

    1. Authoritative 

    2. Delegation – this will be enabled only when you select any parent Authoritative Zone (Delegation is a subzone) 

    3. Forwarding Member 

    4. Forward/Stub Server 

    5. Stub Member 

  • Once name server group is created, we can call them in zones 

 

Authoritative Name server: 

  • DNS servers added will give the answer directly to the requested client, will not go/forward the request to any other DNS server 

  • Data Management –> DNS –> Name Server Groups –> Click + to add Authoritative 

  • Click + under Name Servers to add 

    • Grid Primary – DDI member 

    • Grid Secondary 

    • External Primary 

    • External Secondary 

 

Zones: Data Management –> DNS –> Zones 

Types: 

  1. Authoritative Zone 

  2. Forward Zone 

  3. Stub Zone 

  4. Delegation 

 

Authoritative zones: 

  • Authoritative zones will have records and subzones 

  • As it will have records (A, CNAME, AAAA, PTR etc.), it will answer the DNS query by itself 

  • We can create the records as required  

  • Forward Mapping zone – Name to IP address (A Record) 

  • Reverse Mapping zone – IP address to Name (PTR Record) 

  • Data Management –> DNS –> Zones –> Click + to add Authoritative Zone (nwsknowledgebase.com) 

  • We can add Name servers directly or call out the name server group here 

 

  • Click the authoritative zone to see Records and subzones tabs 

  • Click + to see the options under each tab 

  • Subzone can be  

    • Authoritative zone (admin.nwsknowledgebase.com) and call out name servers 

    • Forward zone 

    • Stub zone 

    • Delegation 

  • We can create multiple subzones and nested subzones (subzone under subzone) 

 

Zone Transfer:  

  • When we create Authoritative name server group with external DNS servers 

  • An Authoritative zone will be created for this external DNS Servers, which means we will call out the name server group 

  • We need to enable Zone transfer on external DNS server to forward the records to DDI from external DNS server (For Ex, Microsoft) 

    • Select the zone (name will be same as we create in infoblox) under Forward Lookup zones in Microsoft DNS Server 

    • Right click and properties  

    • Zone Transfers –> Click “Allow Zone Transfers” 

    • Select “Only to the following servers” and add DDI member 

    • Click OK 

  • All the data (records) will be transferred by Microsoft DNS server to DDI (read only copy) 

 

Clear DNS Cache in Infoblox: 

Data Management –> DNS –> Members/Servers –> select the Grid Member –> Toolbar –> Clear –> Clear DNS Cache 

 

 

Delegation zone: 

  • Zone delegation is how a parent zone signals to DNS resolvers that authority for a child zone is served by a different set of servers 

  • A delegated zone is a zone managed by (delegated to) another name server who owns the authority for the zone 

  • This will be enabled only when you select any parent Authoritative Zone (Delegation is basically a subzone) 

  • Data Management –> DNS –> Zones –> select an Authoritative zone –> Click + to add Delegation zone 

  • Select the zone (name will be same as it created in external dns server) 

  • Name server should be updated as external zone name server fqdn and IP 

 

Forward Zone: 

  • A forward zone is where queries are sent before being forwarded to other remote name servers 

  • We specify one or more name servers that can resolve queries for the zone 

  • Data Management –> DNS –> Zones –> Click + to add Forward zone 

  • Add Name servers 

  • Enable “Use Forwarders only”  

    • If we enable this, Infoblox member will not reply (no answer to the Client/DNS Query) if forwarder is not reachable/forwarder failed 

    • If we don’t enable this, if forwarder is not reachable/forwarder failed, Infoblox will ask default forwarders 

 

Stub Zone: 

  • A stub zone contains records that identify the authoritative name servers in another zone 

 

DNSSEC: 

  • To apply DNSSEC: Data Management –> DNS –> Toolbar –> Grid DNS Properties 

    • Click DNSSEC in the left pane 

    • Check “Enable DNSSEC” 

    • Scroll down and check “Enable DNSSEC Validation” for the outgoing queries to the external servers 

    • Click + under Trust Anchors to add dns keys 

      #dig @a.root-servers.net . dnskey to get the DNS key of root server 

      Two DNS keys will be provided in the answer section, we can use the first one 

    • Put . (dot) under zone and add the public key 

    • Click Save & Close 

  • This will be inherited by members and name servers 

  • We need to enable DNSSEC on zones 

    • Select the zone 

    • Toolbar –> DNSSEC –> Sign Zones 

    • Select the zone and click Sign Zones 

    • Click Yes for Confirm Zone Signing 

  • Multiple records (DNSKEY, RRSIG, NSEC3 etc.) will be created inside the zone 

  • We can provide DS record to our registrar to trust our zone 

    • Toolbar –> DNSSEC –> Export Trust Anchors 

    • Select format “DS Records” 

    • Click Export 

 

DNS Views (Split Horizon): 

  • A feature that enables DNS server to give different answers according to each view 

  • Kind of access control list 

  • It is common for DNS administrators to have two or three DNS views, such as Internal, External, and Dev 

 

 

  • We see a default view when we open Data management –> DNS 

  • To create another view: Data Management –> DNS –> Toolbar –> Add –> DNS View 

  • Once created, select the view (Data Management –> DNS) and click Edit 

  • Select Match Clients in the left pane to add ACL, ACEs to match only those networks in the new view 

  • Zones should be created again as required in the new view 

  • If we create the zone with the same name (as in the default view) in new view, we can copy records 

  • Go to default view, select the zone, Toolbar –> copy records 

  • Select the destination zone, click select zone, change the DNS view to new one, and select the zone 

  • Click Copy & Close 

 

  • We can always create shared record, Toolbar –> Add –> Shared record 

  • But we need to have Shared Record Group before creating a shared record 

    • Data Management –> DNS –> Shared Record Groups 

    • Click + to add one 

    • Select zones in the both views 

    • Click Save & Close 

  • select the shared the record group, click + to add shared record 

  • Shared records are only possible for A, AAAA, CNAME, MX, SRV, TXT 

  • If we create A record, when any view receives DNS request from client, both views will give same answer 

  • To get different answers based on the view, go the view –> zone –> record –> edit the IP address as required 

 

  • Order of DNS views in Members (which is used for responding to client requests) is very important, top to bottom approach like firewall rules 

  • Select any member and click Edit 

  • Click DNS Views in the left pane 

  • Order of DNS views – manually – select the order as required 

 

DNS RPZ: 

  • Infoblox can apply DNS RPZ through DNS firewall, getting a threat intelligence from cloud related to Infoblox with all the malicious domains and ips 

  • Actions are applied if clients want to contact malicious domains 

  • RPZ could be locally created or get from BloxOne threat defense cloud 

  • Prerequisites:  

    • RPZ needs special license to be applied 

    • Enable recursion, logging, security events in reporting node 

 

 

  • Login to DDI via CLI 

>set temp_license 

  • Select 13 (Add Response Policy Zones license) 

  • Restart GUI to see  

    • Grid –> Licenses –> Grid Wide –> RPZ Feature 

    • Data Management –> DNS –> Response Policy Zones 

 

  • RPZ is a normal zone that contains some resource records whether local or through a feed 

 

  • Policy Actions: 

    • Log Only (Disabled): Generating log in syslog and passing traffic 

    • None (Given): Log to reporting by default 

    • Block (No Data): Normal response without an answer “NODATA” / log to reporting  

    • Block (No Such Domain): NXDOMAIN response to clients / log to reporting 

    • Passthru: Pass the response to the destination / log to reporting 

    • Substitute (Domain Name): Gives the client another domain rather than the domain in query / log to reporting 

 

  • Severity: Syslog severity level // Choose according to the policy actions 

    • Informational — For example, set for any whitelist 

    • Major 

    • Critical — For example, set for any blocklist 

    • Warning 

 

  • RPZ Policy Order: The top policy will be matched first, local RPZ should be put at the top before the feed RPZ 

    • Data Management –> DNS –> Response Policy Zones –> Toolbar –> Order Response Policy zones 

 

  • Rules Types: For each action you have for the rule there are three main components 

    • Domain Name — Apply action for the queried domain “QUERY”  

    • IP Address — Apply action on the returned IP address in response “RESPONSE”  

    • Client IP Address — Apply action on the client’s “Requester” IP address 

 

  • Feed RPZ (BloxOne Threat Defense):  

    • The main important part here is that we need to install Feed RPZ taken from BloxOne that contains multiple lists for the malicious websites like ransomware, malwares etc.  

    • After we purchase the license of RPZ from Infoblox, we will receive an account also to be able to access https://csp.Infoblox.com 

    • This portal is very important to copy the data into our environment 

 

  • Feed RPZ Configurations:  

    • Navigate to https://csp.Infoblox.com 

    • Login with the pre-gained account and password from Infoblox 

    • Navigate to Policies –> On-Premise DNS Firewall to configure the On-Premise DNS Firewall service 

    • Click Feed Configuration Values to configure the NIOS feed values with the provided feed addresses based on your subscription. Copy these values to a text editor as you require them later for NIOS configuration 

    • Distribution Server Details: Open this section to take the needed information of servers you will use for your feed providing  

 

Response Policy Zones: Data Management –> DNS –> Response Policy Zones 

  • Click + to Add  

  • Select Add Local Response Policy Zone 

  • Give name, select Policy Override (policy action), select severity and click Next 

  • Select the name server group 

  • Click Save & Close 

 

  • Select the created policy zone/name to go inside 

  • Click + to create a rule 

    • Passthru Rule 

    • Block (No Such Domain) Rule 

    • Block (No Data) Rule 

    • Substitute (Domain Name) Rule 

    • Substitute (Record) Rule 

 

Note:  We can create Domain Name OR IP address OR Client IP address Rules under above categories 

 

  • Add the data as required 

 

  • To reorder the policy zones, Toolbar –> Order Response Policy zones 

 

  • So whenever request to name server (which we add when we are creating a zone) comes from client, traffic will be matched based on RPZ rule order and takes appropriate policy action 

 

  • To check the log 

    • Administration –> Logs –> syslog 

    • Member: select the DDI member 

    • Quick Filter: RPZ Incident logs 

 

Infoblox Advanced DNS Protection (ADP): 

  • The Infoblox Advanced DNS Protection solution employs threat protection rules to detect, report upon, and stop multiple types of DNS attacks like 

    • DNS Exfiltration: Extracting data out of the environment in the shape of records 

    • Non-Existence Attacks: Tricking requests for NXDOMAIN response 

    • Cache Poisoning: Alternating cache for the DNS server 

    • Denial Of Service Attacks: 

      • Through layer 7 attacks “DOS / DDOS” 

      • Layer 3 attacks “Ping Of Death / TCP SYN” 

  • We can deploy the Advanced DNS Protection solution on hardware-accelerated appliances (physical appliances only) as well as software-based appliances (both physical and virtual) in the Grid 

  • It detects DNS attacks through predefined and custom threat protection rules, and mitigates DNS threats by dropping problematic packets while responding only to legitimate traffic 

  • With valid licenses installed, we can subscribe to automatic rule updates that deliver near real-time protection against new and emerging attacks 

  • ADP engine will block traffic if it matched a ruleset, also will be blocked if it’s not matching a normal traffic rate 

 

License Types: 

Threat Protection – Enabling ADP feature 

Threat Update – Obtaining latest ruleset from Infoblox cloud portal 

 

>set temp_license 

  • Select 12 (Add Threat Protection(software add-on) license) 

  • Select 13 (Add Threat Protection update license) 

  • System will restart 

 

Downloading Needed Ruleset: 

  • ADP works with ruleset that is consisting of multiple rules that protect the dns traffic from being attacked by any type of DNS attack  

  • We need to download and update the ruleset inside the ADP engine 

  • We can manually or automatically download the ruleset 

  • We can manually or automatically update the ruleset 

  • After we download the package it will be active directly “Automatic Update” 

 

  • Data Management –> Security –> Threat Protection Rules 

  • Click + to add 

  • Select file that we downloaded from support site and upload 

 

  • Data Management –> Security –> Threat Protection Rules –> Toolbar –> Grid Security Properties 

  • Click Threat Protection in the left pane 

  • Check “Enable Automatic Ruleset Downloads” under Threat protection rule set updates 

  • Click Test connection to see connection status to Infoblox portal 

  • Click Download Rules now to download the ruleset automatically from the support portal 

  • Rule Update policy: Automatic or Manual 

 

  • All the rule set will be called on Profiles, Data Management –> Security –> Profiles 

  • And Profile will be called in Members, Data Management –> Security –> Members 

 

To activate the Threat Protection Service in Member: 

  • Grid –> Grid Manager –> Threat Protection –> Services 

  • Select the member, click Play/start button 

  • Now the member is secured against all the DNS security attacks 

 

Infoblox Threat Insight: 

  • A solution from Infoblox that cares for protection from data exfiltration and DNS tunneling attacks 

  • Integrates with DNS Firewall “RPZ”, uses machine learning and performs real-time streaming analytics on live DNS queries “Behavioral Analysis” 

  • It tries to use some methods for detecting any trial for data exfiltration or tunneling, once this happened the destination automatically will be transferred to DNS firewall 

 

  • Threat insight module will look into the query and gets details about it to see if it’s malicious or not 

    • Is the record looks normally or with no meaning like “abcdef.test.local”, that means there is an encoding in it 

    • Is the query sent to the same domain multiple times per seconds, that means there is something bad in the query 

    • Size of the payload, normal queries have normal size where the data exfiltration queries need big payload to be sent 

 

  • There is an integration between the threat insight module and dns firewall, since threat insight module needs a specific zone inside dns firewall to transfer detected malicious domains to it to be blocked in traffic. At the same there is a whitelist that we need to create to pass the traffic for specific domains like antivirus domains that work basically with DNS tunneling 

  • Threat insight needs external resources to be saved on our appliance 

 

  • DNS Service should be running on the member for threat analytics to work 

    • Data management –> DNS –> Members/Servers 

  • To make use of this feature we need to have two main licenses on your member, DNS And Threat Analytics 

    >set temp_license 

    • Select Add Response Policy Zones License 

    • Select Threat Analytics License 

     

    • Restart GUI to see the Threat analytics tab 

    • Data Management –> Threat Analytics  

      • Members: Service running on them (DNS service should be running) 

      • Whitelist: To be able to set domains that will not be scanned through this feature 

     

  • Create a Response Policy Zone as required with name servers 

  • Call out this RPZ in Grid Threat Analytics Properties (Data Management –> Threat Analytics –> Toolbar) 

    • Click DNS Threat Analytics in the left pane 

    • Select the RPZ 

    • Click save & close 

     

    • Click updates in the left pane 

    • Check “Enable Automatic Whitelist updates” under Whitelist updates 

    • Click Test connection to see connection status to Infoblox portal 

    • Click Download Whitelist now to download the list automatically from the support portal 

 

  • Data Management –> Threat Analytics –> Members 

    • Select the member and click play/start to start the Threat Analytics service 

 

  • If any domain is detected, it will be listed under RPZ (Data Management –> DNS –> Response Policy Zones) 

    • Click the zone to go inside 

    • Select the domain and click edit to whitelist if required or false positives 

 

IPAM (IP Address Management): 

  • Managing Addresses And Their Attributes Across Networks 

  • Tracking ip address and investigation, extensible attributes add information for your entry  

  • IPAM Views 

    • LIST View 

    • MAP View 

  • We could do multiple actions from IPAM tool on the ip address 

    • View information 

    • Convert lease to: Host record OR A record OR PTR record OR Fixed Address 

  • Containers: We can create network container that will add multiple networks inside one big container like CON-172.16.0.0/16 

    • NET-172.16.20.0/24 

    • NET-172.16.21.0/24 

  • IPAM Address Utilization: Shows the amount of used ip addresses given the total number of ip addresses utilized 

  • Data Management –> IPAM 

  • We can search for the IP and create A/PTR record etc directly from here 

 

IP Discovery: It is a feature from IPAM tool to detect and obtain information about an active host 

Data Management –> IPAM –> Toolbar –> Discovery 

  

IP vDiscovery: It is used to discover virtual entities and interfaces such as vSwitchvmwareaws servers etc. 

Data Management –> IPAM –> Toolbar –> vDiscovery 

 

IP Discovery vs Network Insight:  

  • IP Discovery is a feature inside NIOS, it’s free,  no license required 

  • Network insight is a dedicated appliance with specific license that will give you very intensive information about the existed devices with their different types (firewalls, routers, load balancers etc.) 

 

Reporting Overview: 

  • Reporter “Reporting Member” is member who has nothing to do but collecting , processing and indexing reporting data from grid members 

  • Reporter then converts collected data to events that could be searched 

  • Reporter of Infoblox is created based on Splunk engine in collecting, indexing and reporting features 

  • During members configurations, we need to configure each member as forwarder to the reporting server if we need to find data about these members 

 

Reporter Deployment Scenarios: 

  1. Single reporting server 

  2. Single site cluster: Provides scalability for storage but no replication of data between reporters, they only work together and members use both reporters to send them data 

    • Search head will be used on one node from the cluster “Making it faster” 

  3. Multi-site cluster: A multi-site cluster must have at least two sites with two reporting members in each site 

    • You need to define one site as a primary, in this site we will use the search head as a member there 

    • All members of the grid send data to the indexers in the primary site 

 

Grid Reporting Properties:  

  • If we want to configure to make our grid members as forwarders to send data to the reporter 

  • Enable data indexing: To enforce the grid members to send data to reporting server  

  • Put the index percentage for each category since the storage of your reporter is limited. Once the limit reach of any indexing percentage, old data will be removed 

 

Administration –> Reporting –> Toolbar –> Grid Reporting Properties 

 

Reporting App Components: 

Dashboards – System and custom dashboards that result according to specific search results  

Reports – Searches that are shown in a report format  

Alerts – Searches that trigger specific actions 

Search – Creating searches and save them as a dashboard , alert or reports 

 

Audit log: Administration –> Logs –> Audit Log 

 

Audit logging rolling: A way of keeping storage stable when dealing with audit logs size, keeping only 0-9 log files with a max size of each to be 100Mega byte 

Infoblox Grid properties –> Security –> Check “Enable Audit Log Rolling” 

error: Content is protected !!