NIOS RPZ feed recommendations to use after the feed revamp release in January 2025.
...
The following feeds are approaching end of service and are being deprecated. In their place, Infoblox offers a set of new RPZ feeds designed to replace the deprecated feeds.
Deprecated RPZ Feeds | Deprecated RPZ Feed Name | Description |
|---|---|---|
Base Hostnames | base.rpz.infoblox.local | Enables protection against known hostnames that are dangerous as destinations, such as APT, Bot, Compromised Host/Domains, Exploit Kits, Malicious Name Servers, and Sinkholes. |
AntiMalware | antimalware.rpz.infoblox.local | Enables protection against known malicious hostname threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites. |
Ransomware | ransomware.rpz.infoblox.local | Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware to contact the servers which it needs to encrypt your files. |
Malware DGA Hostnames | malware-dga.rpz.infoblox.local | Domain generation algorithm (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. Examples include Ramnit, Conficker, and Banjori. |
Antimalware IP | antimalware-ip.rpz.infoblox.local | Enables protection against known malicious or compromised IP addresses. These are known to host threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites. |
Suspicious | suspicious.rpz.infoblox.local | The Suspicious Domains feed enables protection against hostnames that have not been directly linked to malicious behavior but behave in a manner that suggests malicious behavior may be imminent. |
Suspicious Lookalike | suspicious-lookalikes.rpz.infoblox.local | The Suspicious Lookalikes feed includes domains that appear to impersonate other trusted domains, but have demonstrated enough abnormal behavior to warrant concern. |
Suspicious NOED | suspicious-noed.rpz.infoblox.local | The Suspicious Emergent Domains feed include high risk, new domains. These domains have only recently become active, and share one or more characteristics with other known malicious domains to warrant concern. |
Newly Observed Emergent Domains | noed.rpz.infoblox.local | The NOED feed includes recently created and newly active domain names. These are not necessarily suspicious but some organizations may wish to log traffic going to these domains as there is a low likelihood that these domains would be visited normally. |
...
With the deprecation of the old RPZ feeds and the release of the new RPZ feeds, infoblox will also be deprecating the extended feeds listed below. In the case of these feeds, they have lately been carrying zero indicators. Earlier when a malicious domain’s TTL expires, the domain was added to the corresponding Extended feeds, extending their lifetime. We updated that logic to verify the validity of the domain, on expiry. The domain is added to the same feed if it's still valid (as opposed to separate Extended feeds). As a result, the extended feeds were carrying zero indicators lately. At this point, we can effectively deprecate the below extended feeds.
Deprecated Extended RPZ Feed | Deprecated Extended RPZ Feed Name |
|---|---|
Extended Base & anti-malware Hostnames | ext-base-antimalware.rpz.infoblox.local |
Extended Ransomware | ext-ransomware.rpz.infoblox.local |
Extended AntiMalware IPs | ext-antimalware-ip.rpz.infoblox.local |
...
Given that we have consolidated and simplified the core feed structure, there is no need for the Combination feeds. Combination feed was introduced to provide the ability to abstract the details of individual feed and create a wrapper for extreme, high, medium and low risk. The consolidated and simplified new core feeds provide that in the feed itself and the name of the core feeds reflect the risk level. For those reasons, the below Combination feeds will be deprecated.
Deprecated Combination RPZ Feed | Deprecated Combination RPZ Feed Name |
|---|---|
Extreme Block | ib-extreme-block.rpz.infoblox.local |
Extreme Log | ib-extreme-log.rpz.infoblox.local |
High Block | ib-high-block.rpz.infoblox.local |
High Log | ib-high-log.rpz.infoblox.local |
Med Block | ib-med-block.rpz.infoblox.local |
Med Log | ib-med-log.rpz.infoblox.local |
Low Block | ib-low-block.rpz.infoblox.local |
Low Log | ib-low-log.rpz.infoblox.local |
...
Feed Availability | |||
|---|---|---|---|
Feed Name | Essentials | Business On-Prem | Advanced |
Infoblox Base | ✔ | ✔ | ✔ |
Infoblox Base IP | NA | ✔ | ✔ |
Infoblox High Risk | NA | NA | ✔ |
Infoblox Medium Risk | NA | NA | ✔ |
Infoblox Low Risk | NA | NA | ✔ |
Infoblox Informational | NA | ✔ | ✔ |
For information for adding the new feeds and sizing requirements to your appliance, see Sizing Guidelines for Trinzic Appliances.
...