Page tree

Contents

DNS queries and responses sent over port 53 without encryption are vulnerable to spoofing and eavesdropping. This issue is addressed in NIOS appliances that have DNS over TLS (Transport Layer Security) and DNS over HTTPS services enabled. These features encrypt DNS queries and responses to secure communication between a DNS server and a DNS client.

This topic details the requirements that NIOS appliances must meet for enabling the DNS over TLS and DNS over HTTPS services and has instructions to configure these services. The sections covered in this topic are as follows:

Licensing and Certificate Requirements

DNS over TLS and DNS over HTTPS require the vDCA (virtual DNS Cache Acceleration) or vADP (virtual Advanced DNS Protection Software) service to be licensed and enabled. If the DNS Cache Acceleration and/or Advanced DNS Protection Software services are not enabled, the DNS over TLS and DNS over HTTPS features will not work even if they are enabled. For more information about DNS Cache Acceleration and Advanced DNS Protection Software (threat protection), see Configuring DNS Cache Acceleration and About Infoblox Advanced DNS Protection respectively. 

The DNS over TLS or the DNS over HTTPS service uses the same self-signed certificate that NIOS generates for HTTPS communication when it first starts. You can also generate a certificate signing request (CSR) and use it to obtain a signed certificate from your own trusted certificate authority (CA). For more information, see Generating Certificate Signing Requests.

The certificate is provisioned for each member. For more information about certificates, see Managing Certificates.

Note

NIOS generates a new self-signed certificate when the host name or the IP address of the member is changed or when a Grid Master Candidate is promoted. If the DNS over TLS or DNS over HTTPS feature is enabled on a member, then every time a new self-signed certificate, HTTPS certificate, or a CA certificate is generated, the DNS over TLS service or the DNS over HTTPS service (depending on which feature is enabled) automatically restarts to upload the new certificate.

Base Configuration Requirements

NIOS appliances must have the required base memory configuration to enable the DNS over TLS and the DNS over HTTPS features on their members. If the appliances do not meet the required criteria, the options to configure these features are not displayed in the Member DNS Properties editor. The following table lists the base configuration required for enabling these features:

Memory ConfigurationTotal CPUTotal System Memory in GB (With virtual Advanced DNS Protection Software only)Total System Memory in GB (With virtual DNS Cache Acceleration and virtual Advanced DNS Protection Software)Maximum Number of Concurrent Sessions SupportedGrid Master Capable

Small
recursive DNS (with acceleration)

10

32

32

For vDCA only: 120,000

For vADP only: 50,000

For vDCA and vADP: 120,000

No

Medium
recursive DNS (with acceleration)

16

64

40

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

No

Large
recursive DNS (with acceleration)

26

80

50

For vDCA only: 240,000

For vADP only: 80,000

For vDCA and vADP: 240,000

No

The following table lists the maximum number of concurrent sessions supported by different NIOS appliance models (physical and virtual). For information about CPU and memory requirements, see the 

Note

If the available memory does not meet the requirement defined in the above table, you may observe unexpected behavior. Infoblox recommends that you allocate slightly more memory to ensure that memory associated with the hypervisor is also accounted for.

NIOS Appliance
(Physical and Virtual)

Maximum Number of Concurrent Sessions Supported
IB-14x5For vADP only: 50,000
IB-22x5

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

IB-40x5

For vDCA only: 240,000

For vADP only: 80,000

For vDCA and vADP: 240,000

Note

In an HA setup, ensure that both the active and passive nodes have the memory configuration required to enable the DNS over TLS or the DNS over HTTPS feature. If you enable the feature on an active node that has the required memory footprint but the passive node does not, then in case of a failover, the DNS over TLS or the DNS over HTTPS service does not start on the new active node. Therefore, requests coming to the DNS over TLS or the DNS over HTTPS stream are not honored.

Configuration Requirements if Parental Control is Enabled

NIOS appliances require additional memory if you intend to run DNS over TLS and/or DNS over HTTPS along with the Parental Control features such as proxy RPZ passthru, DCA subscriber query count logging, and DCA subscriber allowed and blocked listing simultaneously. The following table lists the base configuration required for configuring these features simultaneously:

Memory ConfigurationTotal CPUTotal System Memory in GB (With virtual DNS Cache Acceleration only)Total System Memory in GB (With virtual DNS Cache Acceleration and virtual Advanced DNS Protection Software)Maximum Number of Concurrent Sessions SupportedGrid Master Capable

Medium
recursive DNS (with acceleration)

16

64

64

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

No

Medium-Large
recursive DNS (with acceleration)

16

86

86

For vDCA only: 150,000

For vADP only: 60,000

For vDCA and vADP: 150,000

No

Large
recursive DNS (with acceleration)

26

100

100

For vDCA only: 240,000

For vADP only: 80,000

For vDCA and vADP: 240,000

No

Note

When the NIOS appliance does not have the required base memory configuration, if you try to enable and run DNS over TLS, DNS over HTTPS, and Parental Control features simultaneously, all of these features will be disabled. 

Supported Cipher Suites

DNS over TLS and DNS over HTTPS features support cipher suites that are supported by TLS 1.2 and TLS 1.3. The cipher suite order preference is configured to improve the throughput in DNS over TLS and DNS over HTTPS communication.

Cipher suites supported for TLS 1.2 are as follows:

  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES128-SHA
  • DHE-RSA-AES256-SHA
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES256-SHA384

Cipher suites supported for TLS 1.3 are as follows:

  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
  • TLS_AES_256_GCM_SHA384

Limitations and Recommendations for DNS over TLS and DNS over HTTPS

Consider the following limitations and recommendations when you enable the DNS over TLS and/or the DNS over HTTPS features:

  • If an appliance configured with DNS over TLS or DNS over HTTPS has both vDCA and vADP running, the configuration is set to the DCA-first mode.
  • TSIG queries for which responses are larger than the max EDNS/UDP buffer size are not supported.
  • DNS queries coming with EDNS padding over port 53 are dropped.
  • DNS over TLS and DNS over HTTPS features are not supported on unbound-based DNS servers.
  • When DNS over TLS or DNS over HTTPS is enabled, queries decrypted at DNS over TLS or DNS over HTTPS that do not receive a response from the vDCA cache are forwarded to the recursive DNS engine over UDP. Therefore, rules added for TCP requests over TLS or HTTPS may not be honored. Infoblox recommends that you add the corresponding UDP-specific rules instead of only the TCP request rules.
  • For NIOS 8.5.2 only: Infoblox recommends that you manually set the maximum packet size of both the UDP buffer and the EDNS buffer to 4096 bytes. If the packet size exceeds 4096, packets are dropped by the DNS over TLS or the DNS over HTTPS server. For more information about setting buffer sizes, see Configuring the EDNS0 Buffer Size and UDP Buffer Size.
  • DNS over TLS only:
    • The TLS versions that are currently supported by NIOS are TLS 1.2 and TLS 1.3.
    • DNS over TLS supports queries and responses from both DNS and DNS Cache Acceleration services.
    • DNS over TLS is not supported for recursive queries when performing upstream lookups.
    • DNS zone transfer requests over DNS over TLS are not supported.
    • For DNS over TLS clients that use systemd-resolved service, the Subject Alternative Name (SAN) must point to the IP address of the DNS service. By default, the self-signed certificates issued to Infoblox members do not meet this requirement. Therefore, for Infoblox to support systemd-resolved, you must install certificates that include SAN IP address from a trusted certificate authority.
  • DNS over HTTPS only:
    • DNS over HTTPS is supported on the HTTP/2 protocol.
    • DNS over HTTPS is supported only if the NIOS appliance has an MGMT interface set up. The DNS over HTTPS module listens on port 443 for interfaces other than MGMT and any incoming UI request to the MGMT interface is bypassed directly to the host.
    • When DNS over HTTPS is enabled on a member, HTTP redirection from the member to its Grid Master is disabled.

DNS over TLS

NIOS appliances that support DNS Cache Acceleration or Advanced DNS Protection Software, include the DNS over TLS capability that helps increase DNS security and privacy. When you enable the DNS over TLS feature, DNS traffic is encrypted through the TLS protocol to prevent eavesdropping and tampering of DNS data. This feature is supported on both recursive and authoritative DNS servers only through port 853. It is available only for Grid members and for standalone systems. It supports the processing of multiple DNS queries/responses over a single TLS session.

You can configure and run the DNS over TLS service on a member only when the following prerequisites are met:

  • Either the accelerated DNS Cache Acceleration (vDCA) or the Advanced DNS Protection Software (vADP) service is enabled.
  • The memory required to support the DNS over TLS feature is available. For more information, see 58469271.

Configuring DNS over TLS

To configure the DNS over TLS feature, complete the following steps:

  1. Grid member: On the Data Management tab, click the DNS tab -> Members tab, select the member check box, and then click the Edit icon.
    Standalone system: On the Data Management tab, click the DNS tab, expand the Toolbar, and then click System DNS Properties.
  2. In the Member DNS Properties editor/System DNS Properties editor, click Toggle Advanced Mode if the editor is in basic mode.
  3. On the Queries tab -> Advanced tab, select the Enable DoT Service check box to enable the DNS over TLS feature.

    Note

    The options for DNS over TLS feature are displayed only if the appliance has the memory footprint that is required to support the feature and has the DNS Cache Acceleration or Advanced DNS Protection Software license installed. For more information, see 58469271.

  4. In the Maximum Session Timeout field, specify the maximum time in seconds a session can remain idle before it times out and closes. The default value is 60 seconds.
    If your DNS forwarders are located at different geographical locations or if the network latency is high, you may observe session timeouts. If so, Infoblox recommends that you set the Maximum Session Timeout to more than 60 seconds. Increasing the session duration may impact concurrent open sessions.
  5. Save the configuration.
  6. As prompted, manually reboot the member to enable the DNS over TLS feature.

    Note

    The DNS over TLS feature will not take effect until you reboot the member or the standalone system and ensure that either the DNS Cache Acceleration or Advanced DNS Protection Software service is running after the reboot.

CLI Support for DNS over TLS

You can view the status of the DNS over TLS service, configuration, and details of active sessions using the following commands:

DNS over HTTPS

NIOS appliances that support DNS Cache Acceleration or Advanced DNS Protection Software, include the DNS over HTTPS capability that helps increase DNS security and privacy. When you enable the DNS over HTTPS feature, DNS traffic is encrypted through the HTTPS protocol to prevent eavesdropping and tampering of DNS data. This feature is supported on both recursive and authoritative DNS servers only through port 443. It is available only for Grid members and standalone systems. The feature supports the processing of multiple DNS queries/responses over a single TCP session.

You can configure and run the DNS over HTTPS service on a NIOS appliance only when the following prerequisites are met:

  • An MGMT interface is set up.
  • The memory required to support the DNS over HTTPS feature is available. For more information, see 58469271.
  • Either the accelerated DNS Cache Acceleration (vDCA) or the Advanced DNS Protection Software (vADP) service is enabled.

Configuring DNS over HTTPS

To configure the DNS over HTTPS feature, complete the following steps:

  1. Grid member: On the Data Management tab, click the DNS tab -> Members tab, select the member check box, and then click the Edit icon.
    Standalone system: On the Data Management tab, click the DNS tab, expand the Toolbar, and then click System DNS Properties.
  2. In the Member DNS Properties editor/System DNS Properties editor, click Toggle Advanced Mode if the editor is in basic mode.
  3. On the Queries tab -> Advanced tab, select the Enable DoH Service check box to enable the DNS over HTTPS feature.

    Note

    The options for DNS over HTTPS feature are displayed only if the appliance has the memory footprint that is required to support the feature and has the DNS Cache Acceleration or Advanced DNS Protection Software license installed. For more information, see 58469271.


  4. In the Maximum Session Timeout field, specify the maximum time in seconds a session can remain idle before it times out and closes. The default value is 10 seconds.
    If your DNS forwarders are located at different geographical locations or if the network latency is high, you may observe session timeouts. If so, Infoblox recommends that you set the Maximum Session Timeout to more than 10 seconds. Increasing the session duration may impact concurrent open sessions.
  5. Save the configuration.
  6. As prompted, manually reboot the member to enable the DNS over HTTPS feature.

    Note

    The DNS over HTTPS feature will not take effect unless you reboot the member or the standalone system and ensure that either the DNS Cache Acceleration or Advanced DNS Protection Software service is running after the reboot.

Configuring DNS over HTTPS in Firefox

If you are using the developer version of the Firefox browser to initiate DNS queries, you must configure additional settings in the browser to enable the DNS over HTTPS support. Complete the following steps in Firefox to enable DNS over HTTPS and upload certificates:

  1. In the Network Settings section, click Settings and complete the following steps to set the Grid IP address as the custom DNS over HTTPS server:
    1. In the Connection Settings dialog box select the Enable DNS over HTTPS check box.
    2. From the Use Provider drop-down list, choose Custom.
    3. In the Custom field, enter the Grid IP address in the format:
      https://<dns-server>/dns-query
  2. Set the network.trr.mode preference in the configuration editor as follows:
    1. Enter about:config in the Firefox address bar.
    2. Click Accept the Risk and Continue to open the configuration editor.
    3. Search for network.trr.mode.
    4. Click the Edit icon and set the value to 3.
  3. If you are using a self-signed certificate, complete the following:
    1. From the address bar, open https://<doh_server_IP>.
    2. Accept the certificate.
  4. If you are using a CA certificate, complete the following:
    1. Go to Preferences/Options -> Privacy and Security -> View Certificates -> Authorities -> Import.
    2. Choose the certificate.
    3. When prompted, select the Trust this CA to identify websites check box, and restart the browser.

Note

For a member with the DNS Cache Acceleration service running and the DNS over HTTPS feature enabled, if you use the developer version of the Firefox browser (configured for DNS over HTTPS support) to initiate DNS queries, you must set the network.trr.disable-ECS preference in the configuration editor (about:config) to false for DNS data to be cached. DNS caching does not work if network.trr.disable-ECS is set to true.

CLI Support for DNS over HTTPS

You can view the status of the DNS over HTTPS service, configuration, and details of active sessions using the following commands:


  • No labels

This page has no comments.