Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

NIOS DNS DHCP IPAM

Reply

NIOS 8.6 - GSS-TSIG update SPOF
jufoll-ext
New Member
Posts: 2

‎02-02-2024 04:48 AM

853     1

Hi,

 

My company decided to migrate Windows DHCP servers to Infoblox appliances running NIOS 8.6.

In the frame of this project, we have to configure GSS-TSIG DDNS updates on external domains configured on MS AD servers.

 

To do so we refered to this documentation : https://docs.infoblox.com/space/nios86/35826736/About+GSS-TSIG#Configuring-DHCP-to-Send-GSS-TSIG-Upd...

 

Everything is working as expected but, we do not know how to get rid of the SPOF implied in external forward-mapping zone configuration as you can only enter one IP for each zone :

 

gss-tsig-spof.png

It is said that you have to enter Primary NS server IP but this is not HA compliant.

On our MS infrastructure, each NS server for a zone can assume Primary server function which makes AD DNS infra redundant. So we would like to add all NS server IPs (linked to their own DNS Principal) per external zone.

 

Has someone already faced this problem ? Is there a solution ?

 

Thanks for your replies,

Regards,

JF

Labels:
Reply

Re: NIOS 8.6 - GSS-TSIG update SPOF

[ Edited ]
paulr
Expert
Posts: 187

‎02-06-2024 06:49 AM - edited ‎02-06-2024 06:50 AM

853     1

I asked the same question 4 years ago, we ended up deploying with only a single nameserver defined... I have no idea if this got addressed in a later version...

 

https://community.infoblox.com/t5/nios-dns-dhcp-ipam/why-can-t-i-have-more-than-1-gss-tsig-external-...

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Reply

Re: NIOS 8.6 - GSS-TSIG update SPOF

[ Edited ]
jufoll-ext
New Member
Posts: 2

‎02-06-2024 07:24 AM - edited ‎02-06-2024 07:25 AM

853     1

Thanks for the feedback. This is good to know that we're not the only ones to ask for this stuff.

I dont see how complicted it would be to have the possibility to add several "DNS Principal/DNS IP" pairs for each zones.

Reply

Re: NIOS 8.6 - GSS-TSIG update SPOF
paulr
Expert
Posts: 187

‎02-06-2024 07:56 AM

854     1

It sounds like a simple ask to us mere mortals, but to a software engineer it's a complicated subject - do they send the updates in parallel, what about duplicates, how does AD handle this, do they send them one at a time, how long do you wait for a response before sending to the next one, what happens if you get a "refused" type response, if you then have to queue updates how do you manage that queue, how quickly can you process the queue if the endpoint isn't responding quickly enough, do you start throwing updates away if you get a timeout.... yadda yadda yadda.......

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Reply
0 Kudos

Re: NIOS 8.6 - GSS-TSIG update SPOF
MattR
Moderator
Moderator
Posts: 290

‎02-12-2024 06:39 PM

854     1

The underlying DHCPD daemon only supports a single destination unfortunately,  so it its not possible today to have DHCP send DDNS updates to multiple destinations.

 

Under normal conditions, any AD Domain Controller that receives the update will replicate it to all the other DNS servers hosting that zone in the domain or forest.

Reply
0 Kudos

Re: NIOS 8.6 - GSS-TSIG update SPOF
azkurt
New Member
Posts: 1

Saturday

854     1

Unfortunately, this is still the case. We were told by Professional Services to use single and abandon our multimaster setup. We are looking into using Anycast as a way to have DHCP/clients send registration to Anycast address and closest "primary" server responds and accepts registration. Replication to take care of getting registration on other primary. We don't plan to implement for couple months as we have other migrations to complete but hope that Anycast method works.

Reply

Re: NIOS 8.6 - GSS-TSIG update SPOF
paulr
Expert
Posts: 187

Tuesday

854     1

So we're talking about sending updates to MS DNS here - so I guess you're talking about having the primary DNS "service" (ie multiple primaries) sat behind an anycast IP? Does MS support anycast or are you going to hand-craft something to get it working? Maybe you can run something like FRR on Windows, I have no idea.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Reply
0 Kudos

Re: NIOS 8.6 - GSS-TSIG update SPOF
paulr
Expert
Posts: 187

Tuesday

854     1

Haha I really should google stuff first:

 

https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/anycast

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Reply
0 Kudos

Re: NIOS 8.6 - GSS-TSIG update SPOF

[ Edited ]
Garcia69
Techie
Posts: 10

Tuesday - last edited Tuesday

854     1

Our Infoblox technical consultant advised us to file a Request for Enhancement (RFE) which we did. It would be nice if more Infoblox customers would file the same RFE so it gets more leverage.  It is now a matter of waiting.

 

Although far from ideal we have decided to tolerate the SPOF for now. A procedure has been written if this SPOF fails. We have also started a study into alternative configurations. For example, a combination of a stub domain on Infoblox and zone delegation on MS DNS.

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements

Infoblox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community