Configuring Umbrella Virtual Appliance as a DNS forwarder for Infoblox

Overview

This article details how the Umbrella Virtual Appliance can be configured as a forwarder for Infoblox appliances. This feature is available as part of the Virtual Appliance version 2.8.3.  

Note: This feature has been qualified only for Infoblox versions 8.3 and 8.4 and is not guaranteed to work with future Infoblox versions.

If you are using Umbrella for content filtering, this feature requires you to disable caching on the Infoblox appliance for accurate Umbrella reporting and policy enforcement. We also recommend disabling DNSSEC validation on local DNS servers, like Infoblox, so that the Umbrella recursive resolvers will perform DNSSEC validation.

Prerequisite

• Infoblox appliance running NIOS version 8.3 or 8.4 only
• Umbrella Virtual Appliance running version 2.8.3 or higher

Configuring Infoblox appliance

• From the main navigation menu, click Data Management and then select the DNS tab.
• Depending on the Infoblox view:
• In a Grid view, select Grid DNS Properties from the toolbar on the right side of the application.
• In a Members view, click the Members tab. Select the member and then click the edit icon.
• In a DNS view, click the Zones tab. Select the appropriate DNS view and click the edit icon.
• Click Forwarders and in the panel that appears click the add icon.
• In the provided field, enter the static IP of the Virtual Appliance. You can include multiple Virtual Appliances here - it is recommended to include at least 2 virtual appliances. 
• Check the Add Client IP, MAC Addresses and DNS View Name to outgoing recursive queries
• Check the Use Forwarders only to use only forwarders on your network. Leave this unchecked if Infoblox is also the authoritative nameserver for any of your internal domains. 

For the Virtual Appliance to receive all outgoing DNS queries from Infoblox and send them to Umbrella, caching of external domains will need to be disabled on Infoblox. This is mandatory if you are using Umbrella for content filtering or acceptable use. Failure to do so will result in some DNS queries not getting reported by Umbrella and may also lead to incorrect enforcement of AD-based policies. 

Virtual Appliance

Deploy and configure your Virtual Appliances as per the steps documented here.

Note: You should not need to configure any internal DNS servers on the Virtual Appliances, since internal domains will be resolved by Infoblox directly.

Configuring the Umbrella resolvers directly as forwarders on Infoblox with the Add Client IP.. option is not recommended due to the lack of encryption on outgoing DNS queries to Umbrella. 

Active Directory integration

To enable AD integration, you can deploy an Umbrella Active Directory Connector in the same Umbrella site as the Virtual Appliances that are configured as forwarders for Infoblox. 

Important note: NIOS 8.5 does not include the option to Add Client IP, MAC Addresses and DNS View Name to outgoing recursive queries. The Virtual Appliance can be configured as a forwarder for an Infoblox appliance running NIOS 8.5, but endpoint reporting and AD-based policies in Umbrella will not be accurate.