The addition of DoH and DoT protocol support are important for DNS encryption, with the DoT likely to be especially significant for partners since it has been less used until now and so is less well understood.
Network security and automation provider Infoblox has unveiled enhancements to their core Network Identity Operating System (NIOS). The new release adds DoH and DoT protocol support, which are becoming increasingly important for blocking encrypted DNS communications to unauthorized servers. It extends major integrations with the major cloud service providers, and adds Oracle Cloud support for the first time. DDI capabilities have been improved, and new capabilities have been added for service providers.
This is a major release for Infoblox, which consolidates what could have been three separate releases into one.
“We call this one 8x because it has been nine months since our 8.5.1 release,” said Bob Rose, Senior Product Marketing Manager at Infoblox. “Since then, we have been busy – birthing new solutions. So with this we are effectively combining three releases – 8.48, 8.52 and 8.60.”
NIOS, Rose said, is about delivering advanced security and privacy for both enterprises and service providers, and this release addresses this in multiple ways.
“Our focus as customers move to hybrid cloud is better security encryption, better cloud integration and better DDI, and we addressed all of those with this release,” he stated.
The release adds DoT and DoH support to encrypt communications between a DNS client and its local DNS server. This is important because both these protocols are fairly new, and what they do may not be well understood by some customers and partners. FIPS 140-2 Level 2 enhancements also improve role-based authentication and anti-tampering safeguards.
“DoT is DNS over TLS, an encryption technology that ensures device security at an OS level,” Rose said. DoH [DNS-over-HTTPS] is more used at the browser level. They provide reliable, secure encryption between a client and a recursive resolver, to prevent the device from connecting with an unauthorized Internet server, which could expose them to data snooping, exfiltration or malware. What we have done with this release is give the ability to terminate these queries along your existing DNS policies. This helps organizations avoid these ‘man in the middle’ attacks.”
Rose noted that DoT and DoH have been a learning experience for partners, particularly DoT, which hasn’t the same level of uptake as DoH yet.
“DoH has had clearer value for many customers, so is better understood,” he said. “But we are dealing with a scenario involving Apple where customers will want to know about this, and partners will be able to build credibility with them by understanding these issues and the value that DoH brings. Partners know about this at some level, but we have a lot of educational materials to help them get up to speed about importance of all aspects of DNS encryption. They can leverage our expertise and improve their own practice from the leader in DDI service.”
This release announces expanded integrations around flexibility and automation with Amazon Web Services, Google Cloud Platform, Cisco, Red Hat, and VMWare. These follow a similar set of enhancements around the Microsoft Azure Cloud in the 8.8.1 release. Net-new support is also provided for Oracle Cloud with this release.
“Oracle becomes the fourth public cloud that we support,” Rose noted.
Enhancements have also been made to DDI – the acronym for united DNS, DHCP, and IP address management that Infoblox was the first to bundle together. This includes improved DNS resolution, better DNS scavenging, which is cleaning up outdated DNS resources, and improved physical and virtual appliance pairings and Anycast configuration.
“With this, our DDI now has hybrid high availability, for improved visibility, reliability, and performance in hybrid environments,” Rose said. “In addition, some vendors are pulling support for Windows Server 2019 for DDI, but we aren’t. We are continuing that story. We have also integrated a lot of hotfixes and customer requests to make DDI more reliable and improve performance.”
The DDI enhancements also impact Infoblox’s DTC load balancing solution.
“It adds the ability to add new devices and pull together credential groupings,” Rose indicated.
Service providers get more granular capabilities for privacy, security and control in the release. This includes being able to leverage DoT and DoH at scale, enforce security policies for virtual DNS Cache Acceleration (vDCA), and enable URL filtering to send only the traffic of relevant domains to the MSP for inspection.