Owner: Network Engineering · Platform: Infoblox DDI · Review Cycle: Annual
Enterprise DNS and DHCP services are delivered by Infoblox Grid (DDI — DNS, DHCP, IPAM). Infoblox is deployed in high-availability pairs at DC1 and DC2, providing authoritative DNS for all internal zones, recursive resolution for clients, and DHCP across all enterprise subnets.
DNS security filtering is provided by Cisco Umbrella, which sits in front of Infoblox for all external recursive queries.
Client (DHCP request)
│
▼
Infoblox Grid Member (site-local)
│ DHCP lease + DNS server assignment
▼
Client DNS query (recursive)
│
▼
Infoblox Grid Master (DC1) or Candidate (DC2)
│
├── Internal zone? → Authoritative answer from Infoblox
│
└── External query? → Forwarded to Cisco Umbrella (DoH)
│
└── Upstream resolution + security filtering
| Zone | Type | Purpose |
|---|---|---|
corp.company.internal |
Primary | All internal hostnames |
10.in-addr.arpa |
Reverse | PTR records for 10.0.0.0/8 |
172.16.in-addr.arpa |
Reverse | PTR records for AWS VPCs |
aws.company.internal |
Forward stub | Delegates to Route 53 Resolver |
azure.company.internal |
Forward stub | Delegates to Azure Private DNS |
External-facing domains (e.g. company.com) are split between internal and external views:
The split is enforced by source-IP ACL in Infoblox — corporate subnets receive the internal view.
| Parameter | Standard Value |
|---|---|
| Lease duration — corporate endpoints | 8 hours |
| Lease duration — servers (static preferred) | 24 hours |
| Lease duration — IoT / printers | 24 hours |
| Lease duration — guest | 4 hours |
| Default gateway | First usable IP in subnet |
| DNS servers | Infoblox Grid Member (primary), DC1 Infoblox (secondary) |
| Domain search suffix | corp.company.internal |
| NTP servers | ntp1.corp.company.internal, ntp2.corp.company.internal |
Infoblox DHCP failover is configured in Load Balanced mode between the DC1 and DC2 Grid Members per VLAN. In the event of a single member failure, the surviving member serves 100% of leases automatically.
All external recursive DNS queries from Infoblox are forwarded to Cisco Umbrella resolvers via DNS over HTTPS (DoH). Umbrella provides:
Internal zones are not currently DNSSEC-signed (planned for H2 2026). External zones (company.com) are DNSSEC-signed via Cloudflare.
All DNS queries returning NXDOMAIN or a sinkhole IP are logged and reviewed weekly by the SOC as part of threat hunting activity.
IP address management is tracked in Infoblox IPAM (primary) and mirrored read-only to NetBox for cross-team visibility.
Network > IP Allocation Request).All DNS hostnames follow the format: {role}-{site}-{sequence}.corp.company.internal
| Component | Example | Options |
|---|---|---|
| Role | db, web, app, fw, sw, esx |
See naming standard |
| Site | dc1, dc2, hq, brnxx |
Site code register in NetBox |
| Sequence | 01, 02, 03 |
Two-digit numeric |
Example: esx-dc1-01.corp.company.internal, db-dc1-04.corp.company.internal
NTP is provided hierarchically:
| Stratum | Device | Source |
|---|---|---|
| 1 | ntp1.corp.company.internal (DC1) |
GPS/PPS appliance (Meinberg LANTIME) |
| 1 | ntp2.corp.company.internal (DC2) |
GPS/PPS appliance (Meinberg LANTIME) |
| 2 | All network devices | ntp1/ntp2 above |
| 2 | All servers | ntp1/ntp2 above |
| 3 | Client PCs | Domain controllers (Stratum 2 via W32tm) |
https://infoblox.internal (requires network team access)https://dashboard.umbrella.com (SSO via Entra ID)https://netbox.internal