...
- To start the threat analytics service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Analytics license installed on the Grid member on which you want to start the threat analytics service. To download updates for threat analytics module and whitelist sets, you must have at least one Threat Analytics license installed in the Grid.
- Infoblox recommends that you run the threat analytics service for a limited time to monitor and preview what has been detected before actually blocking blacklisted domains. You can carefully review the list of detected domains and decide which domains you want to continue blocking and which domains you want to add to the analytics whitelist. You should review the blacklisted domains on a regular basis to make sure that no legitimate use of DNS tunneling is blocked. Note that you can update the analytics whitelist by adding new whitelisted domains, moving legitimate domains from the blacklisted domain list, or using CVS import and export. For more information, see Configuring a Local RPZ as the Mitigation Blacklist Feed.
- Analytics whitelisted domains and supported DNS tunneling tools are updated periodically and are bundled with future NIOS releases. To ensure that your appliance is using the most up-to-date whitelist, upgrade to the next NIOS release or configure the appliance to download threat analytics updates. For information about upgrades, see About Upgrades. Note that this process may change in future NIOS releases.
- There are no configurable parameters for Infoblox Threat Insight. Infoblox uses the build-in algorithms to analyze DNS statistics and blocks offending domains based on the analyzed data.
- DNS tunneling detection is not instantaneous. It may take a few seconds to a few minutes for the analytics to determine positive DNS tunneling activities.
- During an HA failover, analytics data that is in progress on the active node might be lost. Only new DNS queries on the new active node after a successful failover are being analyzed. It may take a few minutes for the analytics to reach its normal state. If there is no connection between the Grid Master and Grid member, blacklisted domains detected by the analytics cannot be transferred to the Grid Master as RPZ records for a pre-configured RPZ zone—this zone — this is not applicable to standalone appliances with RPZ license installed. In addition, ensure that the passive node must also have the RPZ license installed and that its hardware model is capable of running the threat analytics service. For information about supported appliance models, see Supported Appliances for Infoblox Threat Insight.
- The threat analytics service only works on recursive DNS servers and forwarding servers that use BIND as the DNS resolver. It does not support Unbound as the DNS resolver.
- The analytics whitelist only applies to Infoblox Threat Insight, it does not apply to signature-based tunneling detection. Anti-DNS tunneling threat protection rules are implemented to address signature-based tunneling analysis. For detailed information about threat protection rules, refer to the InfobloxThreatProtectionRules available on the Support web site.
- Infoblox Threat Insight does not support RESTful APIs.
...
When you stop the threat analytics service, the appliance does not detect or protect against
non-signature-based DNS tunneling. In addition, reports that you generate might not include statistics related to DNS tunneling.
...
You can also do the following in the blacklisted domain panel:
- Click Go to Analytics Whitelist View to view the analytics whitelist. In the Whitelist panel, you can see all the trusted domains for Infoblox Threat Insight, and DNS activities are allowed on these domains. For more information, see Viewing the Analytics Whitelist.
- If you want to move a blacklisted domain to the analytics whitelist so it becomes a trusted domain, select the domain check box and click the action icon
(shown as a gear in each row) next to the domain, and then select Move to Whitelist. - Navigate to the next or last page of the whitelist using the paging buttons at the bottom of the panel.
- Refresh the blacklist feed by clicking the Refresh button.
- Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Goto field and select the object from the possible matches.
- Select a quick filter to search for specific entries.
- Print the blacklist or export it in CSV format.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
- Pre-defined Reports: If you have a reporting appliance configured in the Grid, you can generate the following reports that include DNS tunneling data:
- Syslog: All DNS tunneling activities are logged to the syslog. You can view this log to identify specific activities related to DNS tunneling. For more information, see Using a Syslog Server.