Versions Compared

Version Old Version 15 New Version 16
Changes made by

Gary Leicht

Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NIOS RPZ feed recommendations to use after the feed revamp release in December 2024.

...

As part of Infoblox’s mission to improve the quality and value of the BloxOne Infoblox Threat Defense product line, we are simplifying threat feeds for easy and correct security policy action.

...

This guide aims to facilitate the transition from the soon-to-be deprecated BloxOne Infoblox Threat Defense feeds approaching end of service to their updated versions which are to be integrated into NIOS Response Policy Zones (RPZ). Infoblox recommends that NIOS users currently relying on the soon-to-be-deprecated feeds switch to the new feeds as they become available in April 2024 to ensure continued comprehensive threat protection.

...

  • Remove all to-be-deprecated feeds from NIOS RPZ prior to their EOS date in December 2024. Replace the deprecated feeds with the recommendations as provided by Infoblox.  When the to-be-deprecated feeds reach EOS, NIOS will no longer be able to sync them from the Cloud Services Infoblox Portal, leading to an error state.

  • When replacing feeds with the recommendations below, consider policy settings, eg., logging vs blocking, of currently used feeds and replicate them for the replacements.

...

Deprecated RPZ Feeds

Deprecated RPZ Feed Name

Description

Base Hostnames

base.rpz.infoblox.local

Enables protection against known hostnames that are dangerous as destinations, such as APT, Bot, Compromised Host/Domains, Exploit Kits, Malicious Name Servers, and Sinkholes.

AntiMalware

antimalware.rpz.infoblox.local

Enables protection against known malicious hostname threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.

Ransomware

ransomware.rpz.infoblox.local

Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware to contact the servers which it needs to encrypt your files.

Malware DGA Hostnames

malware-dga.rpz.infoblox.local

Domain generation algorithm (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. Examples include Ramnit, Conficker, and Banjori.

Antimalware IP

antimalware-ip.rpz.infoblox.local

Enables protection against known malicious or compromised IP addresses. These are known to host threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.

Suspicious

sanctionssuspicious-med.rpz.infoblox.local

The Suspicious Domains feed enables protection against hostnames that have not been directly linked to malicious behavior but behave in a manner that suggests malicious behavior may be imminent.

Suspicious Lookalike

suspicious-lookalikes.rpz.infoblox.local

The Suspicious Lookalikes feed includes domains that appear to impersonate other trusted domains, but have demonstrated enough abnormal behavior to warrant concern.

Suspicious NOED

suspicious-noed.rpz.infoblox.local

The Suspicious Emergent Domains feed include high risk, new domains. These domains have only recently become active, and share one or more characteristics with other known malicious domains to warrant concern.

Newly Observed Emergent Domains

noed.rpz.infoblox.local

The NOED feed includes recently created and newly active domain names. These are not necessarily suspicious but some organizations may wish to log traffic going to these domains as there is a low likelihood that these domains would be visited normally.

...

Feed Availability

Feed Name

Essentials

Business On-Prem

Advanced

Infoblox Base

Infoblox Base IP

NA

Infoblox High Risk

NA

NA

Infoblox Medium Risk

NA

NA

Infoblox Low Risk

NA

NA

Infoblox Informational

NA

For information for adding the new feeds and sizing requirements to your appliance, see Sizing Guidelines for Trinzic Appliances

...

The following are the recommended NIOS feed replacements based on subscription level. For BloxOne For Infoblox Threat Defense Advanced, special attention must be placed on your appliance capacity when selecting replacement feeds. 

...

Infoblox Threat Defense Essentials

BloxOne Threat

Infoblox Threat Defense Essentials RPZ Feed Mapping

(old to new feeds)

Old Feeds

to

New Feed

Base Hostnames
AntiMalware
Ransomware
Malware DGA hostnames

=>

Infoblox Base

...

Infoblox Business On-Prem 

BloxOne Infoblox Business On-Prem and Business Cloud subscriptions contain all feeds included with the  BloxOne the Infoblox Essentials subscription plus the following RPZ feeds:

BloxOne Threat

Infoblox Threat Defense Business On-Prem and Business Cloud RPZ Feed Mapping

(old to new feeds)

Old Feeds

to

New Feeds

Infoblox Antimalware IP

=>

Infoblox Base IP

Newly Observed Emergent Domains (NOED)

=>

Infoblox Informational

BloxOne Infoblox Business On-Prem contains all feeds included with BloxOne Infoblox Essentials subscription in addition to the feeds listed above. 

...

Infoblox Threat Defense Advanced

Warning

For NIOS customers possessing a BloxOne Infoblox Threat Defense Advanced subscription, attention must be placed on your appliance capacity when selecting your RPZ feeds.

The BloxOne Infoblox Threat Defense Advanced subscription contains all feeds included with BloxOne Infoblox Essentials and BloxOne Infoblox Business tier subscriptions plus the following RPZ feeds: 

BloxOne Threat

Infoblox Threat Defense Advanced RPZ Feed Mapping

(old to new feeds)

Old Feeds

to

New Feeds

Suspicious 
Suspicious Lookalikes
Suspicious NOED

=>

Infoblox High Risk
Infoblox Medium Risk
Infoblox Low Risk

The BloxOne Infoblox Threat Defense Advanced subscription contains all feeds included with BloxOne Infoblox Essentials and BloxOne Infoblox Business tier subscriptions in addtion to the feeds listed above.  Do note that for NIOS subscribers of a BloxOne Infoblox Threat Defense Advanced subscription, attention must be placed on your appliance capacity when selecting your RPZ feeds.

...

To get the configuration information for the new, replacement NIOS RPZ feeds, you need to find out the feed names and the configuration details for the distribution server.

  1. In the Cloud Services Infoblox Portal, navigate to Policies > On-Prem DNS Firewall.

    Navigating to On-Prem DNS Firewall within the Cloud Services Portal.

  2. Click on Feed Configuration Values.

    Click Feed Configuration Values (Step 2) of the feed configuration process.

  3. In the Threat Feed Details list, locate the first feed you will configure. Refer to the table in the Replacement Feed Mapping section for recommended feeds.

  4. Click the Copy button for the desired. Note: Paste this and other configuration data copied in this section into a text file for easy retrieval when configuring the feeds in NIOS.

    The Threat Feed Details list from the Cloud Services Portal.

  5. Repeat steps 3 and 4 for each Refer to the table in the Replacement Feed Mapping section for recommended feeds.

  6. Click Close.

  7. Click on Distribution Server Configuration Values.

    Click Distribution Server Configuration Values.


  8. Scroll down to locate the Distribution Server you will use and click the Copy button for the IPv4 or IPv6 Note: Paste this and other configuration data copied in this section into a text file for easy retrieval when configuring the feeds in NIOS.

  9. Scroll down to the TSIG

  10. Note the Key Algorithm that is configured.

  11. Copy the Key Note: Paste this and other configuration data copied in this section into a text file for easy retrieval when configuring the feeds in NIOS.

  12. Copy the TSIG. Note: Paste this and other configuration data copied in this section into a text file for easy retrieval when configuring the feeds in NIOS.

  13. Click Cancel to exit the Distribution Server. 

    The Distribution Server and TSIG details panel configuration.

...

  1. In NIOS Grid Manager, navigate to Data Management > DNS > Response Policy Zones.

  2. Click the add icon or the Add button in the toolbar. 

    The new NIOS RPZ feeds added in order of recommended order (slots 0 through 5).

  3. On Step 1 of the Add Response Policy Zone Wizard, select Add Response Policy Zone Feed.

  4. Click Next.

    The first step of adding a response policy zone feed.

  5. On Step 2, paste the Name of the feed, as copied from the Cloud Services Infoblox Portal.

  6. Optionally, adjust Policy Override and Severity. Note: This should reflect the policy used on the SURBL feeds being replaced.

  7. Click Next.

    The second step of adding a response policy zone feed includes providing a name for the feed and optionally adjusting the policy override and severity.

  8. On Step 3, use the Add button dropdown to select External PrimaryNote: To save time, you can instead use a nameserver group configured with the external primary and any Grid secondaries to be used for all RPZs. Refer to NIOS Documentation for additional information on creating nameserver groups.

    The third step of adding a response policy zone feed involves selecting the External Primary.

  9. Enter a Name. Note: This field is for reference purpose only, use any name you choose.

  10. Enter the Address of the distribution server as copied from the Cloud Services Infoblox Portal.

  11. Select the box for Use TSIG.

  12. Enter the Key Name as copied from the Cloud Services Infoblox Portal.

  13. Select the Key Algorithm as noted from the Cloud Services Infoblox Portal.

  14. Enter the Key Data as copied from the Cloud Services Infoblox Portal.

  15. Click Add.

    Adding configuration information in the TSIG text fields.

  16. Use the Add button followed by selecting Grid Secondary from among the menu option choices.

    Adding a Grid Secondary.

  17. Click Select followed by choosing the NIOS member to update. Note: You can configure a single secondary to be “Lead Secondary”. If you select this, then that member will be the only one to reach out to the external primary. The feed is then redistributed between members using zone transfers.

  18. Click Add.

    Selecting the NIOS member to update.

  19. (Optional) Repeat Steps 17 and 18 to add additional NIOS appliances as secondaries. 

  20. Click Save & Close.

    Adding secondary nameservers.

  21. Repeat steps 2-20 for each feed you are adding.

  22. When adding an RPZ a service restart is In the banner at the top of the Grid Manager window, click on Restart.

    Click Restart to remove the desired feeds and restart NIOS.

  23. In the Restart Grid Services dialog, adjust Restart Method if desired and click Restart.

    Selecting a restart method from among the restart options to restart the Grid Service.

  24. (Optional) Once you have added all feeds, use the Order Response Policy Zones button in the Toolbar to change the order feeds are applied. 

  25. In the Order Response Policy Zones dialog, use the arrows to change the

  26. Click OK when complete. 

    Configuring Order Response Zones for the new NIOS RPZ feeds.

    Image: Configuring Order Response Zones for the new NIOS RPZ feeds.

  27. Changing the order of RPZs requires a service restart to take effect. In the banner at the top of the Grid Manager window, click on Restart.

  28. In the Restart Grid Services dialog, adjust Restart Method if desired and click Restart.

...