Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.



How Infoblox handle dynamics and manually provisionning DNS zone

Posts: 3
4953     0


I wondered if Infoblox has a special feature to handle dynamics and manually provisionning DNS zone records.

Or in other terms, if Infoblox doesn't follow the native way of work of ISC Bind / DHCP and has a better solution.

Considering a native Bind DNS master server and native ISC DHCP server (I mean not Infoblox servers, as the current configuration / architecture in my client).

In my exemple, the DNS server is master of the zone, and the DHCP server send dynamic update for DHCP client to the same zone name to the DNS master.

This configuration means there are 2 differents provisionning sources for this zone:

- Manual entries

- Dynamic entries from DDNS update from DHCP server

To have the possibility to provision manual entry, it exists 2 solutions:

1) use nsupdate command which will add / delete the record information in the jnl zone file


- works fine


- specific TTL seems to be mandatory for each add record. This is not convienent when you just want to add a record with the default positive TTL value.

Also, if you change this default value, obviously the records added with nsupdate will still remains the specific TTL value entry.

- Seems not possible to change the default positive TTL value of the zone

2) freeze the zone to temporary disable dynamic update with the rndc freeze command


- no headeck about TTL values settings as mentionned in the 1st solution


- During the freeze zone, if a DDNS are coming in the same time, the DDNS operation failed. Then, the DHCP server will retry to perform the DDNS until the zone is unfreeze.

It's not problematic if you have a low manual and/or dynamic provisionning rate in this zone; if the freshness of DNS is not critical for your DHCP devices.

Also, a workaround is to dedicated zone for dynamic update. Unfortunately, most of company have not think about this problematic (which is really tricky) and it could be difficult to split records in new dedicated DNS zone.

So I get back to my first question at the top of this topic to asking if Infoblox has a special way to handle this particular scenario / how it's handle by the solution.

Thanks for your feedback.



Re: How Infoblox handle dynamics and manually provisionning DNS zone

Posts: 187
4954     0

I think you are over thinking this a little bit. What you are describing is how you would natively manage something like a BIND server with no management tools. You need to freeze the zone in order to be able to manually add entries into the zone db file with vi or some other editor, then unfreeze it afterwards to allow DDNS to carry on working.


But if you are using Infoblox you don't need to worry about this. Infoblox zones are stored in a propietary database, so there are no textual zone db files to worry about. BIND simply reads and writes data from/to this database. When you add a resource record through the Infoblox UI or API, it dynamically updates the zone. I don't know exactly the method it uses, whether it triggers a RFC2136 DDNS to the master DNS server and that then writes the RR to the database, or whether the UI/API writes the data to the database and the BIND server then reads this dynamically, but to be honest it doesn't matter because it just works! :-)


If you add a new zone, or make a change to a zone definition, then you need to do a restart services, I surmise because there is no way of informing BIND about this change via DDNS update or API (well, there might be but maybe Infoblox hasn't implemented this yet, I'm thinking of things like catalogue zones). So the UI/API will make this change to the database and the restart services action tells the DNS server to go and pull that info from the db.


As for DHCP derived DDNS updates, they definitely use RFC2136, so the update goes straight into BIND, which writes the update into the db (or it might write to a journal and that then gets sucked into the db). Again, I don't really care what happens under the hood because it just works.


So really there is no need to worry about freezing and unfreezing zones because Infoblox takes care of it all for you.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: How Infoblox handle dynamics and manually provisionning DNS zone

Posts: 3
4954     0

Thanks for explanations and your feedback.


Showing results for 
Search instead for 
Did you mean: 

Recommended for You