08-12-2018 12:00 AM
I am pretty new to Infoblox and thinking to put on-premise appliance. I do already have windows AD/DNS and in my scenario only chage I need is to put forwarder on my windows DNS Server to Infoblox appliance, right?
Well I was testing with BIND RPZ before making final purchase and I noticed that not all DNS queries are being forwarded to BIND RPZ, certain .com and .net entries Windows AD is trying to resolve on his own from Root TLD servers and not being forwarded to RPZ server.
Wondering if same would happen after infoblox purchase then wont have any option left.
Any clues guys?
Thanks and Regards,
08-12-2018 02:54 AM - edited 08-12-2018 02:54 AM
I'm very curiius which .com and .net domains the AD DNS tries to resolve itself. I'm almost 100% sure Infoblox will forward any query where it's not authoritative for, assuming you configured it to forward-only.
08-12-2018 04:52 AM
Good to hear that you’ve decided to try Infoblox. As you’re planning to add Infoblox as a forwarder on the existing Microsoft servers, I hope your intension is to be able to send all recursive traffic to Infoblox & make use of our on prem Active trust feeds(RPZ), to block non-legitimate traffic ? If that is what you are trying to do, then your configuration sounds to be right. In case if you are planning to use Infoblox for handling your authoritative DNS data too(Currently handled by Microsoft), you may need to migrate that data into Infoblox servers.
What are the kind of domains for which Microsoft servers are bypassing the Bind forwarders configured ? Are there any conditional forwarders in place for those domains ? If it was Infoblox DNS servers, I would expect each & every recursive DNS queries to be forwarded to the forwarders configured unless they have been overriden at any lower levels or there are any subzones in place. As you are currently in a evaluation phase, can you test the same with Infoblox DNS servers & see whether the behavior is indeed the same ? Your Infoblox systems engineer is the best person with whom you could work with in order to get over this concern & complete the purchase peacefully. But I am hoping that the issue may need some attention from the Microsoft team as its the Microsoft server which is bypassing the configured Bind forwarder for some reason. In any case, your Infoblox systems engineer should be able to direct you in the right path & ensure that you’re good with this configuration. If there is a problem which has to be dealt by Infoblox, he should be able to work with infoblox support team to find a solution for the same before completing this purchase.
If you aren’t in touch with the Infoblox sales team yet, please let us know.
08-12-2018 10:54 AM
@Malman - Thanks for your feedback.
Yes I would like to keep my existing AD/DNS Authoritative server as it is and put forwarder to Infoblox appliance or at this moment BIND RPZ [BTW I believe Infoblox does use BIND as well and it uses RPZ functionality?]
Well in my scenario my Windows DNS server is simply a authoritative for zone test.local and it should forward all recursive queries to RPZ and RPZ then inturn will forward to internet.
But I noticed that windows server or even I tried with BIND by replacing AD and found the same behaviour as some of the RPZ entries windows is trying to resolve on his own. This is especially I observed with .com and .net entries.
Thanks and Regards,
08-12-2018 11:14 AM
Yes, we’re using Bind underneath in NIOS. Are there any specific examples for those .net & .com domains for which your local server is not using the global forwarders ?
08-12-2018 11:45 AM
Let me do that but for sure this is not an issue with Infoblox or RPZ. As if I am querying directly to RPZ it gives me wall-gardened IP but if done through windows DNS it sometimes creates an issue.
I mean e.g. if I try 100 queries 3-4 I see the NXdomain directly returned without being forwarded to RPZ for sure. I even tried with wireshark/tcpdump on both the server and this is what I noticed. NXdomain is directly provided by windows server.
Thanks and Regards,