Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

NIOS DNS DHCP IPAM

Reply

NIOS 8.6 - GSS-TSIG update SPOF
jufoll-ext
New Member
Posts: 2

‎02-02-2024 04:48 AM

692     1

Hi,

 

My company decided to migrate Windows DHCP servers to Infoblox appliances running NIOS 8.6.

In the frame of this project, we have to configure GSS-TSIG DDNS updates on external domains configured on MS AD servers.

 

To do so we refered to this documentation : https://docs.infoblox.com/space/nios86/35826736/About+GSS-TSIG#Configuring-DHCP-to-Send-GSS-TSIG-Upd...

 

Everything is working as expected but, we do not know how to get rid of the SPOF implied in external forward-mapping zone configuration as you can only enter one IP for each zone :

 

gss-tsig-spof.png

It is said that you have to enter Primary NS server IP but this is not HA compliant.

On our MS infrastructure, each NS server for a zone can assume Primary server function which makes AD DNS infra redundant. So we would like to add all NS server IPs (linked to their own DNS Principal) per external zone.

 

Has someone already faced this problem ? Is there a solution ?

 

Thanks for your replies,

Regards,

JF

Labels:
Reply

Re: NIOS 8.6 - GSS-TSIG update SPOF

[ Edited ]
paulr
Expert
Posts: 185

‎02-06-2024 06:49 AM - edited ‎02-06-2024 06:50 AM

693     1

I asked the same question 4 years ago, we ended up deploying with only a single nameserver defined... I have no idea if this got addressed in a later version...

 

https://community.infoblox.com/t5/nios-dns-dhcp-ipam/why-can-t-i-have-more-than-1-gss-tsig-external-...

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Reply

Re: NIOS 8.6 - GSS-TSIG update SPOF

[ Edited ]
jufoll-ext
New Member
Posts: 2

‎02-06-2024 07:24 AM - edited ‎02-06-2024 07:25 AM

693     1

Thanks for the feedback. This is good to know that we're not the only ones to ask for this stuff.

I dont see how complicted it would be to have the possibility to add several "DNS Principal/DNS IP" pairs for each zones.

Reply

Re: NIOS 8.6 - GSS-TSIG update SPOF
paulr
Expert
Posts: 185

‎02-06-2024 07:56 AM

693     1

It sounds like a simple ask to us mere mortals, but to a software engineer it's a complicated subject - do they send the updates in parallel, what about duplicates, how does AD handle this, do they send them one at a time, how long do you wait for a response before sending to the next one, what happens if you get a "refused" type response, if you then have to queue updates how do you manage that queue, how quickly can you process the queue if the endpoint isn't responding quickly enough, do you start throwing updates away if you get a timeout.... yadda yadda yadda.......

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Reply
0 Kudos

Re: NIOS 8.6 - GSS-TSIG update SPOF
MattR
Moderator
Moderator
Posts: 289

‎02-12-2024 06:39 PM

693     1

The underlying DHCPD daemon only supports a single destination unfortunately,  so it its not possible today to have DHCP send DDNS updates to multiple destinations.

 

Under normal conditions, any AD Domain Controller that receives the update will replicate it to all the other DNS servers hosting that zone in the domain or forest.

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements

Infoblox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community