Configuring Umbrella Virtual Appliance as a DNS forwarder for Infoblox

Overview

This article details how the Umbrella Virtual Appliance can be configured as a forwarder for Infoblox appliances. 

If you are using Umbrella for content filtering, this feature requires you to disable caching on the Infoblox appliance for accurate Umbrella reporting and policy enforcement. We also recommend disabling DNSSEC validation on local DNS servers, like Infoblox, so that the Umbrella recursive resolvers will perform DNSSEC validation.

Prerequisite

• Infoblox appliance running NIOS version 8.3, or 8.4 or 8.6. NIOS version 8.5 is not supported. 
• Cisco does not guarantee that this feature will work on future Infoblox versions since it is dependent on the Infoblox NIOS image. Contact Infoblox for queries around support for forwarders with private IP in EDNS. 

Configuring Infoblox appliance

• From the main navigation menu, click Data Management and then select the DNS tab.
• Depending on the Infoblox view:
• In a Grid view, select Grid DNS Properties from the toolbar on the right side of the application.
• In a Members view, click the Members tab. Select the member and then click the edit icon.
• In a DNS view, click the Zones tab. Select the appropriate DNS view and click the edit icon.
• Click Forwarders and in the panel that appears click the add icon.
• In the provided field, enter the static IP of the Virtual Appliance. You can include multiple Virtual Appliances here - it is recommended to include at least 2 virtual appliances. 
• Check the Add Client IP, MAC Addresses and DNS View Name to outgoing recursive queries
• Check the Use Forwarders only to use only forwarders on your network. Leave this unchecked if Infoblox is also the authoritative nameserver for any of your internal domains. 

For the Virtual Appliance to receive all outgoing DNS queries from Infoblox and send them to Umbrella, caching of external domains will need to be disabled on Infoblox. This is mandatory if you are using Umbrella for content filtering or acceptable use. Failure to do so will result in some DNS queries not getting reported by Umbrella and may also lead to incorrect enforcement of AD-based policies. 

Virtual Appliance

Deploy and configure your Virtual Appliances as per the steps documented here.

Note: You should not need to configure any internal DNS servers on the Virtual Appliances, since internal domains will be resolved by Infoblox directly.

Configuring the Umbrella resolvers directly as forwarders on Infoblox with the "Add Client IP" option is not recommended due to the lack of encryption on outgoing DNS queries to Umbrella. 

Active Directory integration

To enable AD integration, you can deploy an Umbrella Active Directory Connector in the same Umbrella site as the Virtual Appliances that are configured as forwarders for Infoblox. Refer to Umbrella documentation here: Connect Active Directory to Umbrella

Troubleshooting

If you are using Infoblox Data Management to centrally configure this setting, ensure that there is no local override for this setting on any Infoblox appliance.