DDI Platform · Network Services

Infoblox
NIOSDNS · DHCP · IPAM · Grid Architecture · 9.x

A complete operational reference for Infoblox NIOS — Grid architecture, DNS management, DHCP configuration, IPAM, security (DNS Firewall / Advanced DNS Protection), REST API, and troubleshooting. Covers NIOS 9.x with Universal DDI integration.

NIOS 9.x DNS / DNSSEC DHCP / DHCPv6 IPAM / IPv4 / IPv6 REST API / Terraform Grid / HA DNS Firewall
Infoblox Grid Architecture
⭐ Grid Master (GM)
HA Pair · VIP: 10.0.0.10
Hub of all Grid communications
Grid Master Candidate
Failover · 10.0.0.11
Promotes to GM on failure
├─── spokes ───┤
Member HA
DNS+DHCP
Site A
Member
DNS only
Site B
vNIOS
Cloud
Azure
Member
DHCP only
Site C
Grid Master
GMC
Member
HA Member
vNIOS
OVERVIEW

What is Infoblox NIOS?

D
DNS
Authoritative & recursive name resolution. Forward/reverse zones. DNSSEC. DNS Firewall. Traffic Control.
D
DHCP
Dynamic IP address assignment. Networks, ranges, fixed addresses, options, failover, DHCPv6.
I
IPAM
IP address management. Network containers, subnets, utilization tracking, discovery, extensible attributes.
🏗️ NIOS Platform Overview
N
NIOS (Network Identity OS) — Infoblox's operating system for DDI appliances. Runs on physical Trinzic appliances, virtual (vNIOS on VMware/Hyper-V), or cloud (AWS/Azure/GCP/Oracle). Current version: NIOS 9.x (9.0.x GA, 9.1.x released 2026)
G
Infoblox Grid — the patented technology linking all Infoblox appliances into a unified, distributed management platform. One Grid Master manages all Grid Members. Database replicated across members. The Grid is the fundamental architectural unit — all management goes through the GM
D
Grid Manager (GM GUI) — the web-based management interface hosted on the Grid Master. All configuration — DNS zones, DHCP networks, IPAM, members, security — managed from one UI. https://grid-master-ip → port 443 (HTTPS)
U
Universal DDI Management — Infoblox's SaaS management layer (cloud portal). Centralizes management of on-premises NIOS, cloud-native DDI, and Microsoft DNS/DHCP from a single control plane. IPAM Federation in NIOS 9.0.5+ bridges on-prem NIOS and Universal DDI
A
REST API (WAPI) — Infoblox's full-featured Web API for automation. All Grid operations available via REST. Supports Terraform, Ansible, and custom scripts. Version-based URL: https://gm/wapi/v2.12/
📐 NIOS Platform Scale & Key Facts
Max Grid membersHundreds of members per Grid
DNS queries/secUp to 1M+ QPS (Trinzic X6 hardware)
DHCP leasesMillions of leases across Grid
IPAM networksIPv4 and IPv6, unlimited (license-based)
DNS zones per memberThousands of authoritative zones
HA failover timeSeconds (VIP-based HA pair)
Grid replicationContinuous DB sync over encrypted VPN tunnel
WAPI versionv2.12 (NIOS 9.x)
Physical appliancesTrinzic X6 series (current gen, 2024+)
vNIOS platformsVMware vSphere · Hyper-V · KVM · AWS · Azure · GCP
NIOS 9.x newUniversal DDI integration, IPAM Federation, Proxmox support
🌐 DNS Services
Authoritative DNS, recursive resolver, split DNS, DNSSEC signing, TSIG zone transfers, DNS Traffic Control (GTM), advanced DNS protection, DNS Firewall (RPZ).Serves internal + external DNS — one platform
🔌 DHCP Services
DHCPv4 and DHCPv6, DHCP failover protocol, fixed addresses, host records, option sets, user classes, lease history, DDNS (dynamic DNS update).Automatic DNS record creation from DHCP leases
🗺️ IPAM
IP address tracking, network containers, subnet allocation, utilization heatmap, network discovery, extensible attributes, Microsoft AD integration for device correlation.Correlates DNS + DHCP + discovery into one IP view
🔗 Integrations
REST API (WAPI), Terraform provider, Ansible collection, VMware vCenter/Aria, ServiceNow CMDB, Splunk, CrowdStrike, Active Directory, Azure/AWS/GCP DNS sync.200+ ecosystem integrations via Infoblox portal
GRID

Grid Architecture

🏗️ Grid Components
GM
Grid Master (GM) — central hub for all Grid communications and configuration. Hosts the Grid Manager web UI. All config changes originate here and replicate to members. Can be a single appliance or HA pair. The Grid Master communicates with every Grid member in a hub-and-spoke configuration
GC
Grid Master Candidate (GMC) — hot standby for the Grid Master. Contains a full replica of the Grid database. If the GM fails, the GMC can be promoted manually or automatically to become the new GM. Recommend deploying GMC at a separate physical site for DR
M
Grid Member — appliance that provides DNS, DHCP, or both services. Receives configuration from the GM. New members inherit all settings created at the Grid level unless overridden at the member level. Members communicate with GM over encrypted VPN tunnel (port 1194)
HA
HA Member Pair — two appliances configured as active/passive. VIP (Virtual IP) floats to active node. On active failure, VIP moves to passive within seconds. For the HA member, the GM communicates with the active node. HA uses heartbeat on HA port (LAN2 or separate HA interface)
vN
vNIOS — virtual NIOS appliances for VMware, Hyper-V, KVM, or cloud (AWS/Azure/GCP). Joins the Grid as a member. Supports most NIOS features. When adding vNIOS to a Grid, you centralize management through the Grid Master. NIOS 9.0.8: Proxmox qualification added
⚙️ Grid Configuration Reference
Grid Manager URLhttps://[gm-ip] — port 443
Default loginadmin / infoblox — change immediately
Grid communicationPort 1194 (VPN tunnel) GM ↔ members
Grid shared secretSet during initial Grid creation — must match on all members
Join member to GridGrid tab → Grid Manager → Members → Add Grid Member
HA VIP interfaceLAN1 port — VIP floats between active/passive
HA heartbeat portLAN2 or dedicated HA port — direct crossover cable
DB replicationContinuous, encrypted — config + DNS data + DHCP leases
MTU configSet if VPN tunnel crosses MTU-limited links
NAT groupsRequired if GM behind NAT with members on both sides
Auto-provisioningPre-provision Grid members remotely before physical deployment
Grid hierarchy: Grid → Members → Services (DNS/DHCP) → Data (Zones/Networks). Settings flow down: Grid-level → Member-level (can override) → Service-level.
➕ Adding a Grid Member — Workflow
1
Deploy Appliance or vNIOS
Rack physical appliance or deploy vNIOS OVA in vSphere. Set LAN1 IP, netmask, gateway. Ensure port 1194 is open from appliance to Grid Master.
2
Add Member on Grid Master
Grid tab → Grid Manager → Members → Add → Add Grid Member. Specify Member Type (Infoblox or Virtual NIOS), FQDN/IP, comment.
3
Configure Services
Enable DNS and/or DHCP services on the member. Assign DNS zones or DHCP networks to this member. Set member-level overrides if needed.
4
Join Member to Grid
On the new appliance CLI: set Grid Master IP, Grid name, and shared secret. The appliance contacts the GM and joins. Config replicates from GM.
5
Verify and Restart Services
Grid Manager shows member as Online. DNS/DHCP service status appears Green. Test with a DNS query or DHCP request to confirm the member is serving traffic.
Pre-provisioning: In large deployments, define member config on the GM before the appliance ships to the remote site. When the appliance arrives and joins the Grid, it receives its full configuration automatically — including DNS zones and DHCP networks.
⚠ Grid shared secret: The shared secret must match exactly between the GM and the joining member. Mismatch causes join failure. Set during initial grid creation — changeable via Grid Properties.
NIOS CLI join command:
set membership grid-master-ip shared-secret grid-name
DNS

DNS Management

🌐 DNS Zone Types
A
Authoritative Zones — Infoblox holds the authoritative data for these zones. NIOS responds with AA (Authoritative Answer) flag set. Two types: Primary (master copy) and Secondary (slave copy from another NS). Data Management → DNS → Zones → Add Zone → Authoritative Zone
F
Forward Zones — resolve hostnames to IP addresses. Example: us.ad.lfg.com. Contains A, AAAA, CNAME, MX, TXT, SRV records. Forward zones must have at least one NS record
R
Reverse Zones — resolve IPs to hostnames (PTR records). Named in reverse: 5.10.10.in-addr.arpa for 10.10.5.0/24. Infoblox auto-creates via IPAM. NIOS can auto-create reverse zones when adding IP networks
S
Stub Zones — contains only NS records for a zone. Used to direct queries to the correct authoritative servers without being a secondary. Lighter than full secondary. Good for zone delegation visibility without full data replication
FW
Forward (Conditional Forward) Zones — forward queries for a specific zone to another DNS server instead of resolving recursively. Critical for split-brain DNS and internal zone routing. Data Management → DNS → Zones → Add Zone → Forward-Mapping Zone (Forwarder)
D
Delegated Zones — Infoblox holds delegation records pointing to another DNS server as authoritative. NS and glue records created here; no zone data managed by Infoblox. Used when sub-teams manage their own sub-zones
📋 DNS Record Types & Management
Host recordUnified A + PTR + (optionally) AAAA — preferred for managed hosts
A recordhostname → IPv4 address mapping
AAAA recordhostname → IPv6 address mapping
PTR recordIP → hostname (reverse lookup)
CNAMEAlias → canonical name (no IP)
MX recordDomain → mail server, with priority
TXT recordSPF · DKIM · DMARC · domain verification
SRV recordService location — Kerberos, LDAP, SIP
NS recordAuthoritative nameservers for zone
SOA recordZone authority — serial, refresh, retry, expire, TTL
CAA recordCertificate Authority Authorization
NAPTR recordSIP/VoIP service discovery
Bulk importCSV import via Grid Manager → Data Management → Import
Host records vs A records: Use Host records for managed devices — they automatically create both forward (A) and reverse (PTR) entries and integrate with DHCP fixed addresses and IPAM. Use standalone A records only for non-managed targets.
⚙️ DNS Zone Configuration & NS Management
Zone creation path
Data Management
→ DNS
→ Zones
→ Add Zone
→ Authoritative
→ Forward (Forwarder)
→ Stub
→ Delegated
Zone transfer (AXFR)Configure TSIG keys for secure zone transfer
NOTIFYAuto-notify secondary servers on zone change
Zone TTLDefault TTL for all records in zone (SOA)
Negative TTLSOA NXDOMAIN cache time — default 10800s
Dynamic DNS (DDNS)DHCP updates DNS when lease assigned
GSS-TSIGKerberos-secured dynamic DNS update from AD
DNSSEC signingZone-level — online signing with KSK/ZSK
Multiple primariesMulti-master zones — sync between multiple NIOS primaries
Anycast DNSSame IP advertised from multiple sites via BGP/OSPF
DNS Traffic ControlGlobal load balancing — health-based, geo, round-robin
Response rate limitingRRL — DDoS reflection mitigation
Recursive queriesPer-member resolver config with forwarders
DNS loggingQuery logging per zone or globally — sent to syslog
🔐 DNSSEC — Zone Signing
K
KSK (Key Signing Key) — signs the DNSKEY record set. Long-lived, high-value key. Rolled annually or less frequently. Its hash published to parent zone as DS record. KSK rollover requires coordination with parent zone registrar
Z
ZSK (Zone Signing Key) — signs all other RRsets in the zone. Rolled frequently (monthly/quarterly). Smaller key size than KSK (1024-bit ZSK vs 2048-bit KSK common). NIOS automates ZSK rollover — no manual intervention needed
S
Online Signing — NIOS signs zone dynamically on query. No pre-signed zone file needed. Supports both online signing and pre-signed zone import. Enable: Zone → Edit → DNSSEC → Enable Signing
Enable DNSSECZone → DNSSEC → Enable Zone Signing
Signing algorithmRSASHA256 (default) · ECDSA P-256 (recommended)
DS record deliveryMust publish DS record at parent zone manually
NSEC vs NSEC3NSEC3 with salt prevents zone enumeration
Trust anchorImport root trust anchors for validating resolver
ValidationEnable DNSSEC validation on recursive resolvers
Test DNSSECdig +dnssec domain.com @infoblox-ip
DHCP

DHCP Management

🔌 DHCP Object Hierarchy
N
Network — the IP subnet to be managed by DHCP. Define the subnet (e.g., 10.10.5.0/24), member(s) serving it, and default gateway / DNS options. Data Management → DHCP → Networks → Add Network
R
DHCP Range — dynamic IP pool within a network. Defines start and end IP for DHCP assignment. Multiple ranges per network allowed (exclude specific IPs between ranges). Network → Add → DHCP Range → set Start IP, End IP, Member
F
Fixed Address — assign a specific IP to a client identified by MAC address. Always gets the same IP regardless of lease pool. Appears in IPAM as reserved. Data Management → DHCP → Fixed Addresses → Add Fixed Address
H
Host Record (DHCP) — unified object combining DNS A record + DHCP fixed address. The recommended way to manage static IP assignments — creates DNS forward + reverse + DHCP reservation in one object. Data Management → DNS → Zones → zone → Add Record → Host Record
O
DHCP Option Sets — reusable groups of DHCP options (003 router, 006 DNS, 015 domain name, 044 WINS, 042 NTP). Apply to networks or ranges to avoid per-object repetition. Grid → DHCP Properties → Option Filters or use Member DHCP defaults
T
Shared Networks — multiple logical networks on the same physical segment. DHCP serves multiple subnets from one interface. Used for secondary IP ranges on a segment. Also called "multi-homed networks" — single MAC broadcast domain, multiple subnets
⚡ DHCP Failover & DHCPv6
FO
DHCP Failover Protocol — standard IETF failover between two DHCP servers (active-active or active-backup). Leases synchronized between primary and secondary. If primary fails, secondary serves clients. Configure at Network level — select Failover Association between two members
FA
Failover Association — defines the relationship between two DHCP servers. One is primary, one secondary. The IP pool is split between them (default: 50/50 or configurable MCLT). Grid → DHCP → Failover Associations → Add Failover Association
v6
DHCPv6 — stateful IPv6 address assignment. Supports IA_NA (non-temporary) and IA_PD (prefix delegation). DHCPv6 ranges, fixed addresses, and option sets configured similarly to DHCPv4. NIOS 9.x: Enhanced DHCPv6 synchronization improvements
Lease time (default)43200s (12h) — adjust per environment
DDNS on leaseAuto-update DNS A/PTR on lease grant/release
DDNS styleInterim (Client FQDN option) or Ad Hoc
Lease historyGrid → Reporting → DHCP lease history — searchable
MAC filteringAllow/deny list by MAC or vendor prefix (option 60)
User classesOption 77 — custom option sets by client type
PXE bootOptions 066/067 — boot server and filename
DHCP fingerprintingIdentify device type from option request list
📋 Common DHCP Options Reference
Option CodeNameValue ExamplePurpose
003Router (Default Gateway)10.10.5.1Default gateway for the subnet
006DNS Servers10.0.0.53, 10.0.0.54DNS resolvers for clients
015DNS Domain Nameus.ad.lfg.comDefault search domain
042NTP Servers10.0.0.10Network Time Protocol server
044WINS Servers10.0.0.20NetBIOS name server (legacy)
051Lease Time86400 (24h)Override default lease duration
060Vendor Class IdentifierPXEClientIdentify vendor/device type
066TFTP Server Name10.0.0.99PXE boot server
067Boot File Namepxelinux.0PXE boot filename
119DNS Search Listus.ad.lfg.com, corp.lfg.comMultiple DNS search suffixes
150TFTP Server Address10.0.0.99Cisco IP phones TFTP config
252WPAD / Auto-Proxyhttp://wpad.domain.com/wpad.datWeb proxy auto-discovery
IPAM

IP Address Management (IPAM)

🗺️ IPAM Object Hierarchy
NC
Network Container — parent block that contains smaller networks or other containers. Not directly assigned to a DHCP member — used for hierarchical organization. Example: 10.0.0.0/8 contains all your private space. Network View → Add → Network Container
N
Network — a leaf-level subnet assigned to a specific site/VLAN. Has DHCP and DNS associations. Contains fixed addresses and DHCP ranges. 10.10.5.0/24 — VLAN 100, Site A, served by member01
I
IP Address Object — individual IP within a network. Can be: Unmanaged (discovered), DHCP Lease (dynamic), Fixed Address (static DHCP), Host Record (managed), or Reserved. Click any IP in IPAM view to see full history and associated objects
EA
Extensible Attributes (EA) — custom metadata fields. Define once at Grid level, apply to networks, addresses, zones, and records. Used for site code, cost center, owner, environment, SLA tier. Grid → Grid Manager → Extensible Attributes → Define custom fields
NV
Network View — separate IP space for multi-tenant environments or overlapping address ranges. Each view has its own independent IPAM and DHCP namespace. Also controls DNS view association. Default: "default" view. Add views for VRF-based or tenant separation
🔍 Network Discovery
D
NIOS Discovery — active network scanning to find unmanaged devices. ICMP ping + SNMP + port scan. Populates IPAM with discovered devices including MAC address, hostname, OS fingerprint. Data Management → IPAM → Discovery → Configure discovery settings per network
V
VLAN Discovery — discovers VLAN configuration from switches via SNMP. Maps VLANs to networks in IPAM. Requires SNMP read credentials for network switches. Configure SNMP credentials in Grid → Discovery → Credentials
P
Port Control — view and manage switch port assignments for discovered devices. Links MAC addresses to switch ports directly from IPAM. Requires CLI credentials for switches. All Port Control operations require CLI credentials in Grid Manager
VC
vDiscovery (VMware) — integrates with vCenter to discover VMs and their IPs. Automatically creates or updates IPAM records when VMs are provisioned or change IP. Grid → Cloud Network Automation → vCenter connector
Discovery schedulePer-network schedule — hourly/daily/weekly
Conflict detectionAlerts when discovered IP conflicts with IPAM record
Auto-update IPAMDiscovery results update unmanaged IP status automatically
📊 IPAM Utilization & Reporting
U
Utilization Thresholds — set warning (e.g., 80%) and critical (95%) thresholds per network. Triggers alerts and dashboard indicators. Network → Edit → Utilization Threshold → set %
A
IPAM Alerts — email/syslog notification when subnet approaches exhaustion. Prevents surprise DHCP pool depletion during peak onboarding. Critical: with DHCP ranges — pool exhaustion = client connectivity loss
Heatmap viewIPAM → Network → visual utilization color coding
Next available IPWAPI: next_available_ip — automated IP allocation
Bulk allocationAllocate subnets from container via UI or API
IPAM reportsReporting → IPAM → Subnet utilization, assignments
IPAM Federation (NIOS 9.0.5+): Reserve IP addresses that are unique across NIOS and Infoblox Universal DDI Management. Bridges on-premises NIOS with cloud-based DDI from a single control point (Infoblox Portal Configuration).
SECURITY

DNS Security — Firewall, ADP & Hardening

🔥 DNS Firewall (Response Policy Zones — RPZ)
R
Response Policy Zones (RPZ) — the mechanism behind DNS Firewall. Special authoritative zones containing override records. When a client queries a malicious domain, the resolver checks RPZ and returns a substitute response (NXDOMAIN, passthrough, walled garden IP). Data Management → DNS → Response Policy Zones → Add RPZ
B
Block (NXDOMAIN) — most common policy. Return NXDOMAIN for malicious domain queries. Client cannot resolve the domain — malware C2 communication blocked. Effective for ransomware C2, phishing domains, botnet callbacks
W
Walled Garden — redirect blocked queries to a sinkhole IP. Client resolves to an internal web page showing "This site is blocked." Better user experience than NXDOMAIN. Sinkhole server at internal IP shows block notification page
P
Passthrough (Allow) — explicitly allow a domain that would otherwise match a block rule. Whitelist exceptions per RPZ policy. Local allow list overrides global threat feed blocks
F
Threat Intelligence Feeds — Infoblox Threat Intel (TIDE) provides curated RPZ feeds: Malware, C&C, Phishing, Exploit Kits, Domain Generation Algorithms (DGA). Subscribed feeds auto-update. Security → DNS Firewall → Feeds → configure TIDE subscription
L
Local RPZ — custom block/allow list you manage. Add domains manually or via CSV import. Takes precedence over feed-based RPZ in policy order. Add specific IoC domains, phishing URLs, internal abuse domains
🛡️ Advanced DNS Protection (ADP)
A
Advanced DNS Protection — hardware-accelerated DNS attack mitigation. Protects DNS infrastructure from volumetric DDoS attacks, cache poisoning, amplification attacks, tunneling, and NXDOMAIN floods. Requires ADP-capable appliance (Trinzic X6 series) or license
D
DDoS Mitigation — automatic rate limiting and query drop for flood attacks. Maintains DNS service for legitimate traffic even under multi-Gbps attack. Uses hardware ASICs for line-rate inspection. Grid → ADP → Rules → configure thresholds per attack category
T
DNS Tunneling Detection — identifies DNS used as covert channel for data exfiltration (e.g., Iodine, dnscat2). Detects high-entropy domain names, unusually long labels, and excessive TXT/NULL record queries. Alert + block when DNS tunnel signatures detected
R
Response Rate Limiting (RRL) — prevents DNS amplification/reflection attacks by rate-limiting identical or similar responses. Standard BIND feature exposed in NIOS. Set responses-per-second threshold per query source subnet
DNS is the #1 attack vector: 91% of malware uses DNS for C2. DNS Firewall with threat intelligence blocks malware communication before any other security control can act. Deploy RPZ on all recursive resolvers serving internal clients.
🔒 NIOS Security Hardening Checklist
Change default admin password — default is admin/infoblox. Change immediately post-deploy. Use complex password stored in PAM solution.
Enable HTTPS only — disable HTTP redirect. Grid → Grid Manager → Protocols → uncheck HTTP, keep HTTPS.
Configure AD/LDAP authentication — integrate with Active Directory. Map AD groups to NIOS admin roles. Disable local accounts for named users.
Enable audit logging — all admin actions logged to Grid audit log. Forward to SIEM via syslog. Retain 90 days minimum.
Restrict management access (ACL) — Grid Manager → Security → Management Network → allow only admin jump host subnets on port 443/22.
Enable TSIG for zone transfers — never allow open AXFR. Configure TSIG key for each secondary server that needs zone data.
Restrict recursion by IP — DNS recursive queries allowed only from internal subnets. Never open recursion to internet. Prevents open resolver abuse.
Deploy DNS Firewall RPZ — minimum: Infoblox TIDE malware + C2 feed. Add local block list for known internal abuse domains.
Enable DNSSEC validation — on recursive resolvers: validate DNSSEC signatures to prevent cache poisoning attacks.
Patch NIOS regularly — apply NIOS updates per Infoblox Security Advisories. CVE-2024-xxxx: subscribe to Infoblox security bulletins. NIOS 9.0.6+: PAPI disabled by default.
Replace self-signed TLS certificate — import CA-signed cert for Grid Manager HTTPS. Prevents browser warnings and enables trust for automation tools.
Configure NTP — NIOS uses NTP for log timestamps and DNSSEC. Sync to same NTP source as AD (±5 min for Kerberos). Grid → Grid Manager → NTP.
VIEWS

DNS Views & Split-Brain DNS

👁️ DNS Views — Split-Brain Architecture

DNS Views allow a single NIOS member to serve different DNS responses to different clients based on source IP. The same zone name (e.g., lfg.com) can return different answers to internal vs. external clients.

I
Internal View — responds to internal subnet queries. Contains internal IP addresses (10.x, 172.16.x, etc.) for corporate resources. Clients behind firewall resolve to internal IPs. Match criteria: Source IP in 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
E
External View — responds to external / internet queries. Contains public IPs for internet-facing services (load balancers, CDN, cloud). Clients from internet resolve to public IPs. Match criteria: Source IP = any (default/catch-all after internal)
O
Match Order — views evaluated in order. First match wins. Put most specific match criteria first (internal). External/default view last. Data Management → DNS → Views → drag to reorder
C
View-Linked Network View — each DNS View links to a Network View (IPAM namespace). Ensures IP allocation for the correct tenant/environment. DNS View → Properties → Network View Association
Common use case: Same zone (lfg.com) returns 10.10.5.20 for internal DNS clients and 203.0.113.50 (public IP) for external clients — without running two separate DNS infrastructures.
🔐 RBAC — Admin Roles & Permissions
SA
Superuser — full access to all Grid operations, settings, and data. Only Infoblox admins should hold this role. Analogous to domain admin. Grid → Administration → Admin Groups → assign roles
AA
DNS Admin — manage DNS zones and records within permitted views. No access to DHCP networks or IPAM subnets. Good for DNS-only operators. Custom admin role with DNS read/write permissions scoped to specific views
DA
DHCP Admin — manage DHCP networks, ranges, and fixed addresses. No DNS zone access. Good for network team members who provision client networks. Scope to specific member or network view via permission filters
IA
IPAM Admin / Read-Only — view IP address space, utilization, discovery results. Create network allocations. Read-only for security/auditing teams. Grid → IPAM → Network Container → admin group permissions
AD/LDAP authGrid → Administration → Authentication Policy → AD integration
Remote authRADIUS, TACACS+, LDAP, AD all supported
Local adminKeep 1–2 local break-glass accounts only
HA

High Availability & Redundancy

⚡ HA Pair Architecture
V
Virtual IP (VIP) — shared IP address that floats to the active node. DNS clients and DHCP clients always communicate with the VIP. On failover, VIP moves to passive node within seconds. VIP set on LAN1. Active node sends ARP for VIP. Passive inherits on failover.
H
Heartbeat — continuous keepalive between active and passive over HA interface. If passive misses heartbeats (configurable threshold), it assumes active has failed and takes over. HA port: direct crossover cable or dedicated L2 segment between nodes
S
State Synchronization — DHCP lease state, DNS zone data changes, and config changes replicate from active to passive in real time. On failover, passive already has current state. DHCP leases sync via failover protocol. DNS via Grid database replication.
FO
DHCP Failover vs HA Pair — HA pair provides DNS + DHCP failover using VIP. DHCP Failover Protocol (separate feature) balances DHCP between two non-HA members for active-active DHCP. HA pair = DNS + DHCP redundancy · DHCP Failover = dual-server pool sharing
🌍 Anycast DNS — Geographic Redundancy
A
Anycast — same IP address advertised from multiple physical locations via BGP or OSPF. DNS clients always resolve to the nearest node. If a site goes down, routing converges to next-closest node. Standard enterprise DNS deployment for large distributed environments
B
Anycast via BGP — NIOS members advertise loopback/anycast IP via BGP to upstream routers. BGP metric or AS-path determines nearest server. Grid → Member → DNS → Anycast Addresses → configure BGP peer
O
Anycast via OSPF — advertise anycast IP via OSPF into IGP. OSPF metric determines path. Suitable for single-AS environments without external BGP. Simpler than BGP — good for campus or data center anycast
Recommended anycast IPe.g., 10.0.0.53/32 — advertised from all recursive resolver sites
Client DNS configSet anycast IP as DNS server — resolves to nearest node
Site failureBGP/OSPF withdraws route — traffic re-routes within seconds
REST API

WAPI — REST API Automation

🔌 WAPI Fundamentals
Base URLhttps://[gm-ip]/wapi/v2.12/
AuthHTTP Basic Auth (username:password) or token
Content-Typeapplication/json for POST/PUT bodies
Objectsrecord:host · record:a · network · fixedaddress · zone_auth
ResponseJSON array of matching objects with _ref field
_ref fieldUnique object reference — use for updates and deletes
Paging_max_results + _paging for large result sets
Swagger UIhttps://[gm-ip]/wapidoc — interactive API docs
Terraform providerinfoblox/infoblox — full WAPI coverage
WAPI v2.12 (NIOS 9.x) supports all DDI operations including DNS records, DHCP networks, IPAM allocation, Grid config, and security policies. Use _return_fields to limit response fields for performance.
🔑 Common WAPI Endpoints
Search host recordsGET /record:host?name~=server&_return_fields=name,ipv4addrs
Get networkGET /network?network=10.10.5.0/24
Next available IPPOST /network/{ref}?_function=next_available_ip
Create A recordPOST /record:a (body: name, ipv4addr, view)
Create host recordPOST /record:host
DHCP fixed addressPOST /fixedaddress
Add zonePOST /zone_auth
Get leasesGET /lease?address=10.10.5.100
Delete objectDELETE /{object_ref}
💻 WAPI Examples — PowerShell
Common WAPI operations via PowerShell
# Credentials $base = "https://gm.domain.com/wapi/v2.12" $cred = Get-Credential # admin / password $headers = @{ContentType="application/json"} # GET — search for host record Invoke-RestMethod -Uri "$base/record:host?name=webserver01.us.ad.lfg.com" ` -Credential $cred -SkipCertificateCheck # POST — create host record $body = @{ name = "webserver01.us.ad.lfg.com" ipv4addrs = @(@{ipv4addr="10.10.5.20"}) view = "Internal" comment = "Web server - provisioned by automation" } | ConvertTo-Json Invoke-RestMethod -Method Post -Uri "$base/record:host" ` -Credential $cred -Body $body -SkipCertificateCheck # Get next available IP from subnet $netref = (Invoke-RestMethod -Uri "$base/network?network=10.10.5.0/24" ` -Credential $cred -SkipCertificateCheck)._ref Invoke-RestMethod -Method Post ` -Uri "$base/$netref?_function=next_available_ip&num=1" ` -Credential $cred -SkipCertificateCheck # DELETE — remove host record by ref Invoke-RestMethod -Method Delete ` -Uri "$base/record:host/ZG5z..." ` -Credential $cred -SkipCertificateCheck
🏗️ Terraform Provider
Terraform — manage Infoblox resources
terraform { required_providers { infoblox = { source = "infobloxopen/infoblox" version = "~> 2.5" } } } provider "infoblox" { server = "gm.domain.com" username = "terraform-svc" password = var.infoblox_password wapi_version = "2.12" } resource "infoblox_a_record" "web01" { dns_view = "Internal" fqdn = "webserver01.us.ad.lfg.com" ip_addr = "10.10.5.20" ttl = 300 comment = "Managed by Terraform" } resource "infoblox_ip_allocation" "web01_ip" { network_view = "default" dns_view = "Internal" fqdn = "webserver01.us.ad.lfg.com" ip_addr = "func:nextavailableip:10.10.5.0/24" }
CLI

NIOS CLI Quick Reference

💻 System & Grid CLI Commands
Access via SSH to Grid Master or member IP
# System status show version # NIOS version + build show status # service health summary show hardware # hardware model + serial show network # interface config show interface # IP/MAC per interface show ntp # NTP sync status show grid # Grid membership info show service dns # DNS service status show service dhcp # DHCP service status # DNS diagnostics dig @localhost example.com # test DNS from appliance show dns-zone-transfer # zone transfer status show dns-stats # DNS query statistics # System management set network # configure network settings set dns-resolver # set resolver IP set ntp # configure NTP server restart services # restart all NIOS services restart service dns # restart DNS only restart service dhcp # restart DHCP only
🔧 Grid Join & Troubleshooting CLI
Grid operations and diagnostics
# Join appliance to existing Grid set membership gm-ip shared-secret GridName # Check Grid connectivity to GM ping grid-master-ip # Show HA pair status show ha-status # active/passive state show ha-pair # HA configuration # Force manual HA failover set ha-forceactive # force this node to become active # DHCP lease query show lease 10.10.5.100 # lease info for specific IP show lease all # all current leases # Log access show log syslog # system syslog show log audit # admin audit log show log dns # DNS query log show log dhcp # DHCP lease log # Enable PAPI (NIOS 9.0.6+ disabled by default) set perl_mod_access enable
REPORTING

Reporting, Monitoring & Integration

📊 Built-in Reporting
D
DHCP Utilization Reports — subnet utilization over time, top used networks, approaching exhaustion, lease counts by member and network. Reporting → DHCP → select report type and time range
Q
DNS Query Statistics — queries per second, query type distribution (A/AAAA/MX/CNAME), top queried domains, NXDOMAIN rates, response time percentiles. Reporting → DNS → Query Statistics per member
I
IPAM Utilization Reports — subnet utilization heatmap, unmanaged IP counts, allocation trends over time, RFC 1918 space utilization breakdown. Reporting → IPAM → Network Utilization
L
Lease History Search — find who had a specific IP at a specific time. Critical for security incident investigation. Search by IP or MAC. Data Management → DHCP → Lease History → search by IP, MAC, or timestamp
A
Audit Log — all admin actions with username, timestamp, changed object, and values. Forward to SIEM for compliance and security monitoring. Administration → Log Files → Audit Log · also forwarded via syslog
🔗 Key Integrations
SIEM
Syslog to SIEM — forward DNS query logs, DHCP lease logs, and audit logs to Splunk, QRadar, Microsoft Sentinel, or any syslog target. Critical for DNS-based threat detection. Grid → Grid Manager → Syslog → add remote syslog server(s)
SN
ServiceNow CMDB — Infoblox IPAM data synced to ServiceNow CI records. IP, hostname, MAC, custom EAs populate CMDB automatically. Eliminates manual IP tracking in ITSM. ServiceNow Infoblox integration app available in ServiceNow Store
AD
Active Directory Discovery — correlate DHCP leases with AD user logons. Associate IP + MAC + username + hostname in IPAM for full user-to-IP mapping. Grid → Network Insight → AD integration for user correlation
VM
VMware vCenter / Aria — vDiscovery integration creates IPAM records automatically for VM provisioning events. Terraform VMware Aria integration announced NIOS 9.x. Grid → Cloud Network Automation → configure vCenter connector
CS
CrowdStrike / EDR Integration — correlate DNS Firewall RPZ blocks with endpoint detection. When RPZ blocks a domain, enrich with CrowdStrike host data for immediate threat context. Via Infoblox ecosystem connector framework
DIAG

Troubleshooting & Common Issues

🔧 Common Issues & Resolutions
!
Member shows "Disconnected" in Grid Manager — check port 1194 (UDP/TCP) from member to Grid Master IP. Check member NTP sync (time difference causes VPN auth failure). Restart Grid service: restart services. CLI on member: show grid → check VPN tunnel state
!
DNS queries failing / SERVFAIL — check DNS service status on serving member. Verify zone is assigned to member. Check if zone has valid NS records. Test from appliance: dig @localhost zone.com. Zone with no NS records returns REFUSED · member not assigned returns REFUSED
!
DHCP pool exhaustion — subnet has no free leases. Immediate: identify and release stale leases. Short-term: expand DHCP range. Long-term: subnet a larger block. Check IPAM utilization report. Show DHCP leases: Grid Manager → Data Management → DHCP → Leases
!
HA failover not occurring — passive node not detecting active failure. Check HA port connectivity (crossover cable). Check heartbeat thresholds. Check passive node has HA port configured correctly. CLI: show ha-status — verify active/passive state on both nodes
Zone transfer (AXFR) failing to secondary — verify TSIG key matches on both primary and secondary. Check ACL on authoritative zone allows secondary server IP. Verify port 53 TCP open (AXFR uses TCP). Zone → Allow Transfers → verify secondary IP and TSIG key
DDNS not creating DNS records from DHCP — verify DDNS is enabled on both DHCP network and DNS zone. Check GSS-TSIG configuration if using Kerberos. Verify DNS view is correct for the DHCP network. Network → DDNS tab → verify enabled + zone association
RPZ block not working for known bad domain — verify DNS Firewall is enabled on the member serving recursive queries. Check RPZ policy order (local allow overrides block). Verify feed subscription is active and current. Grid → Security → DNS Firewall → check feed last update timestamp
🔍 Diagnostic Tools & Queries
DNS troubleshooting commands
# Test DNS from a Windows client against Infoblox nslookup webserver01.us.ad.lfg.com 10.0.0.53 Resolve-DnsName -Name webserver01.us.ad.lfg.com -Server 10.0.0.53 # Test DNS from appliance CLI dig @localhost us.ad.lfg.com SOA dig @localhost us.ad.lfg.com NS +short dig @localhost bad-domain.com # test RPZ block → expect NXDOMAIN dig @localhost us.ad.lfg.com AXFR # test zone transfer # Find who had an IP (lease history via API) Invoke-RestMethod -Uri "https://gm/wapi/v2.12/lease?address=10.10.5.100&_return_fields=address,starts,ends,hardware,client_hostname" ` -Credential $cred -SkipCertificateCheck # Check DHCP utilization on a subnet via API Invoke-RestMethod -Uri "https://gm/wapi/v2.12/network?network=10.10.5.0/24&_return_fields=network,dhcp_utilization,total_hosts,active_hosts_count" ` -Credential $cred -SkipCertificateCheck # Grid member status via API Invoke-RestMethod -Uri "https://gm/wapi/v2.12/member?_return_fields=host_name,node_info,service_status" ` -Credential $cred -SkipCertificateCheck
⚡ Quick Reference — Key Paths & Ports
ComponentAccess / PathPortNotes
Grid Manager UIhttps://[gm-ip]/443Primary management interface
WAPI (REST API)https://[gm-ip]/wapi/v2.12/443All DDI automation
WAPI Docs (Swagger)https://[gm-ip]/wapidoc443Interactive API documentation
SSH CLIssh admin@[member-ip]22CLI diagnostics and Grid join
Grid VPN (members→GM)UDP/TCP from member to GM IP1194Must be open — Grid DB replication
DNSUDP + TCP to member/VIP53UDP for queries, TCP for AXFR + large responses
DHCPUDP broadcast / unicast67/68Client to server (67), server to client (68)
DHCP FailoverBetween two DHCP member IPs647Failover protocol synchronization
NTPOutbound from appliance123Grid time sync (critical for DNSSEC)
SNMP (monitoring)Inbound to appliance161MIB-based monitoring of member health
Syslog (to SIEM)Outbound from appliance514UDP/TCP syslog to SIEM targets
HTTPS (Universal DDI)Outbound to portal.infoblox.com443Universal DDI Management cloud portal