Infoblox DDI appliances have the following limitations on the number of threat intelligence entries that can be loaded on to each appliance. These recommended per-appliance limitations help achieve acceptable performance and should not be exceeded. To help you prioritize and select threat feeds in the DNS FW configuration, use the entry counts next to the feed in the NIOS setup, and use the following guidelines:
Threat Intelligence Sizing Limitations for Infoblox DDI Appliances |
Software | RPZ Count in Millions |
IB-815 | 1.5 |
IB-825 | 2 |
IB-926 | 6 |
IB-1415 | 6 |
IB-1425 | 8 |
IB-1516 | 20 |
IB-1526 | 20 |
IB-2215 | 25 |
IB-2225 | 25 |
IB-2326 | 40 |
IB-4015 | 40 |
IB-4025 | 40 |
IB-4126 | 40 |
Info |
---|
|
- Low end models (1.5M/2M) - do not receive any of the three Suspicious feeds (Suspicious, Suspicious Lookalikes, Suspicious NOED) the Newly Observed Emergent Domains feed, or the Farsight Newly Observed Domains NOD feed.
- Middle end models (6M/8M) – receive some of the Suspicious feeds (but not all three), the Newly Observed Emergent Domains feed, and the Farsight Newly Observed Domains NOD feed.
- High end models (20M/40M) – receive all feeds.
|
Appliance and RPZ Feed Sizing |
Feed | RPZ | For Maximum of 1.5M Records | For Maximum of 2M Records | For Maximum of 6M Records | For Maximum of 8M Records | For Maximum of 20M / 40M Records |
---|
Base Hostnames | base.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
AntiMalware | antimalware.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
Malware DGA hostnames | malware-dga.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
Ransomware | ransomware.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
Suspicious | suspicious- | NA | ✔ | ✔ | ✔ | ✔ |
Suspicious Lookalikes | lookalikes.rpz.infoblox.local | NA | NA | NA | NA | ✔ |
Suspicious NOED | suspicious-noed.rpz.infoblox.local | NA | NA | NA | ✔ | ✔ |
DoH Public Hostnames | public-doh.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
DoH Public IPs | public-doh-ip.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
Newly Observed Emergent Domains | noed.rpz.infoblox.local | NA | NA | ✔ | ✔ | ✔ |
AntiMalware_IP | antimalware-ip.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
DHS_AIS_ Hostname | dhs-ais-domain.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
Extended Base & anti-malware Hostnames | ext-base-antimalware.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
Extended Ransomware IPs | ext-ransomware.rpz.infoblox.local | ✔ | ✔ |
| ✔ | ✔ |
Extended AntiMalware Ips | ext-antimalware-ip.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
Cryptocurrency hostnames and domains | cryptocurrency.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
TOR Exit Node IPs | tor-exit-node-ip.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
Bogon | bogon.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
DHS_AIS_IP | dhs-ais-ip.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
EECN IPs | eecn-ip.rpz.infoblox.loca | ✔ | ✔ | ✔ | ✔ | ✔ |
Spambot IPs DNSBL | spambot-dnsbl-ip.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
US OFAC Sanctions IPs | sanctions-ip.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
Sanctions Med | sanctions-med.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
Sanctions High | sanctions-high.rpz.infoblox.local | ✔ | ✔ | ✔ | ✔ | ✔ |
Farsight Newly Observed Domains (NOD) | farsightnod.rpz.infoblox.local | NA | NA | ✔ | ✔ | ✔ |
Extreme Block | ib-extreme-block.rpz.infoblox.local | NA | NA | NA | NA | ✔ |
Extreme Log | ib-extreme-log.rpz.infoblox.local | NA | NA | NA | NA | ✔ |
High Block | ib-high-block.rpz.infoblox.local | NA | NA | NA | NA | ✔ |
High Log | ib-high-log.rpz.infoblox.local | NA | NA | NA | NA | ✔ |
Med Block | ib-med-block.rpz.infoblox.local | NA | NA | NA | NA | ✔ |
Med Log | ib-med-log.rpz.infoblox.local | NA | NA | NA | NA | ✔ |
Low Block | ib-low-block.rpz.infoblox.local | NA | NA | NA | NA | ✔ |
Low Log | ib-low-log.rpz.infoblox.local | NA | NA | NA | NA | ✔ |
...
Info |
---|
title | Pre-configurated Feed Sets |
---|
|
The pre-configured sets – Extreme/High/Med/Low – are supposed to be used by itself. They are not supposed to be used in any combination with other pre-configured options or the above individual RPZs, as it will result in overlap without additional benefit/protection for customers, resulting in ineffective usage of resources. |
In summary,
- Low end models (1.5M/2M)- do not get Suspicious (none of the three), NOED and Farsight NOD
- Middle end models (6M/8M) – you get NOED, Farsight NOD and some Suspicious (but not all three)
- High end models (20M/40M) – you get everything.