Configure Umbrella VA as A DNS Forwarder for Infoblox

Introduction

This document describes how the Umbrella Virtual Appliance (VA) can be configured as a forwarder for Infoblox appliances. 

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Infoblox appliance running NIOS version 8.3, or 8.4 or 8.6. NIOS version 8.5 is not supported. 
• Cisco does not guarantee that this feature can work on future Infoblox versions since it is dependent on the Infoblox NIOS image. Contact Infoblox for queries around support for forwarders with private IP in EDNS. 

Components Used

The information in this document is based on Umbrella Virtual Appliance (VA).

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Overview

If you are using Umbrella for content filtering, this feature requires you to disable caching on the Infoblox appliance for accurate Umbrella reporting and policy enforcement. Umbrella also recommends disabling DNSSEC validation on local DNS servers, like Infoblox, so that the Umbrella recursive resolvers can perform DNSSEC validation.

Configuring the Infoblox Appliance

1. From the main navigation menu, select Data Management > DNS tab.

2. Depending on the Infoblox view:

• In a Grid view, select Grid DNS Properties from the toolbar on the right side of the application.
• In a Members view, select the Members tab. Select the member, and then select the Edit icon.
• In a DNS view, select the Zones tab. Select the appropriate DNS view and select the Edit icon.

3. Select Forwarders, and in the panel that appears, select the Add icon.

4. In the provided field, enter the static IP of the Virtual Appliance. You can include multiple Virtual Appliances here. Umbrella recommends including at least 2 virtual appliances. 

5. Select the Add Client IP, MAC Addresses, and DNS View Name to outgoing recursive queries option.

IB__2_.png

6. Select the Use Forwarders only option to use only forwarders on your network. Leave this unselected if Infoblox is also the authoritative nameserver for any of your internal domains. 

For the Virtual Appliance to receive all outgoing DNS queries from Infoblox and send them to Umbrella, caching of external domains must be disabled on Infoblox. This is mandatory if you are using Umbrella for content filtering or acceptable use. Failure to do so can result in some DNS queries not getting reported by Umbrella and can also lead to incorrect enforcement of AD-based policies. 

Virtual Appliance

Deploy and configure your Virtual Appliances as per the steps in the Umbrella documentation.

Note: You do not need to configure any internal DNS servers on the Virtual Appliances since internal domains can be resolved by Infoblox directly.

Configuring the Umbrella resolvers directly as forwarders on Infoblox with the Add Client IP option is not recommended due to the lack of encryption on outgoing DNS queries to Umbrella. 

Active Directory integration

To enable AD integration, you can deploy an Umbrella Active Directory Connector in the same Umbrella site as the Virtual Appliances that are configured as forwarders for Infoblox. Refer to Umbrella documentation: Connect Active Directory to Umbrella

Troubleshooting

If you are using Infoblox Data Management to centrally configure this setting, ensure that there is no local override for this setting on any Infoblox appliance.