Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

DNS DHCP IPAM

Reply
Highlighted

Internal & External infoblox dns design

Techie
Posts: 3
5707     0
I'M looking for the best practices design for connecting internal DNS to external DNS using infoblox appliances, primary and secondary for each DNS.
Highlighted

Re: Internal & External infoblox dns design

Adviser
Posts: 200
5708     0

What are you attempting to accomplish?  What do you mean by "connecting" them together?  Are you referring simply to having both internal and external DNS under a single management system or are you talking about something related to forwarding or zone transfers or something different?

Highlighted

Re: Internal & External infoblox dns design

Techie
Posts: 3
5708     0
First of all thank for your reply,
1-Deployment infx appliance on local network :-
Configure management ports with the management network IP addreses , configure HA & LAN 1 Ports with (data & syn ) local network IP addresses that will serve (DNS & DHCP ) to the networkuser's,
2- Deploying infx appliance on DMZ network :-
Configure LAN1 port with private (public) network that will be nated on the firewall,
Configure LAN2 port with the private network IP addresses that will serve ( DNS data & syn) from & to local DNS network ,
Configure management ports with the DMZ management network IP addresses ?
My question is there best practice design for deploying local INFX (DNS&DHCP) & external INFX (DNS) on DMZ network.
Thanks
Highlighted

Re: Internal & External infoblox dns design

Adviser
Posts: 200
5708     0

You mention "infx" multiple times...I assume that refers to Infoblox, right?  Just trying to make sure you aren't meaning something different.

 

So you have internal HA appliances that will service internal DNS queries and be recursive for outbound requests, correct?  You also have single appliances that where you are choosing to use one port (LAN1) for outside-in DNS requests (those coming FROM the Internet into your organization) and the other port (LAN2) for inside-out or inside-in requests (proxy DNS cache layer or for internal clients looking for internal hosts).  Is that also correct?

 

If both of the above are true, then your configuration matches the basic configuration well enough to be considered one of the best practices options.  There are still specific settings in DNS to configure to ensure you don't expose an open recursor...specifically, you want to make sure the DNS view with your authoritative external zones has recursion disabled.  You'll also need to make sure you properly configure your ACLs on the views as well and order them appropriately.

 

There are a number of other factors that will determine what is really a "best practice" for your deployment but these are generally the steps in the right direction.

Highlighted

Re: Internal & External infoblox dns design

Techie
Posts: 3
5708     0
Thanks for your help ,INFX=Infoblox you are right , I have two infx appliances works (internal DNS&DHCP) & two infx appliances works in DMZ(External DNS ) ,

ON External DNS ( INFX appliance)
I used LAN 1 FOR outside( public network 'internet') and LAN2 FOR INSIDE network ( just communicate with internal DNS & configured with private DMZ subnet)

ON INTERNAL DNS
I used Lan1 for inside network ( client dns & shop request ) , HA lan1 same subnet ,
Lan2 outside-inside DMZ( just communicate 'inside'external DNS )
Management ports ( grid ) can I configure all 4 appliances with two subnet ( one for internal network & one for dmz network 'in our network design DMZ has it's own management network' )?

I am on the stage one for the deployment that's I looking for the best practices design for the deployment internal and external DNS,
Thanks
Highlighted

Re: Internal & External infoblox dns design

Adviser
Posts: 200
5708     0

Unless you have some restriction, I wouldn't bother with the MGMT ports at all.  Also, unless there's some special reason for putting LAN2 of the internal members into the DMZ, I would just leverage LAN1/HA.  It sounds like you're attempting to use all of the ports but I didn't see any specific target problem that you're trying to solve.

 

I do get using LAN1 and LAN2 for the external auth members...although a good number of customers use just LAN1 and set up the ACLs accordingly.  There's definitely nothing wrong with either approach...it really comes down to risk mitigation and determining how well you will rely on firewall and ACL configurations.

 

What specifically are you trying to accomplish with the use of the extra ports?  Is there some mandate internally regarding separation of management and control traffic from user facing ports?

 

Do you have a dedicated GM and GMC in this design?  If not, enabling the MGMT ports on the protocol serving units that also serve as GM/GMC will work but it will also create some interesting challenges.

Showing results for 
Search instead for 
Do you mean 

Recommended for You