deploy dfp

If you want all your recursive DNS queries to go through Threatdefense and still have your clients use your Microsoft Servers as primary DNS servers. In the forwarder config of your Microsoft DNS servers put in the ip's of one or more DFP's on-prem. If you have at leat two DFP's you can also give them an anycast ip address that you can use for redundancy. You can leave root hints active on your Microsoft Servers as forwarders takes precedence and Use root hints if no forwarders are available checkbox if both DFP's die, as fallback. But it all depends on your setup. And also making sure that in your threatdefense policies you blxk the most popular DOH servers for your clients. And also make sure only your DNS servers and DFP's are allowed to make DNS quries to the internet and normal clinets are blovked on TCP-UDP ort 53 and DOT port 853.

https://docs.infoblox.com/space/BloxOneThreatDefense/337117626/Best%2BPractices%2Bfor%2BDNS%2BForwarding%2BProxy

https://docs.infoblox.com/space/BloxOneThreatDefense/337150481/Using%2BDNS%2BFallback

https://docs.infoblox.com/space/BloxOneThreatDefense/337117729/Best+Practices+for+Using+DNS+Fallback