Versions Compared

Version Old Version 18 New Version 19
Changes made by

Gary Leicht

Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NIOS RPZ feed recommendations to use after the feed revamp release in December 2024.

...

Deprecated RPZ Feeds

Deprecated RPZ Feed Name

Description

Base Hostnames

base.rpz.infoblox.local

Enables protection against known hostnames that are dangerous as destinations, such as APT, Bot, Compromised Host/Domains, Exploit Kits, Malicious Name Servers, and Sinkholes.

AntiMalware

antimalware.rpz.infoblox.local

Enables protection against known malicious hostname threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.

Ransomware

ransomware.rpz.infoblox.local

Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware to contact the servers which it needs to encrypt your files.

Malware DGA Hostnames

malware-dga.rpz.infoblox.local

Domain generation algorithm (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. Examples include Ramnit, Conficker, and Banjori.

Antimalware IP

antimalware-ip.rpz.infoblox.local

Enables protection against known malicious or compromised IP addresses. These are known to host threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.

Suspicious

suspicious-med.rpz.infoblox.local

l

The Suspicious Domains feed enables protection against hostnames that have not been directly linked to malicious behavior but behave in a manner that suggests malicious behavior may be imminent.

Suspicious Lookalike

suspicious-lookalikes.rpz.infoblox.local

The Suspicious Lookalikes feed includes domains that appear to impersonate other trusted domains, but have demonstrated enough abnormal behavior to warrant concern.

Suspicious NOED

suspicious-noed.rpz.infoblox.local

The Suspicious Emergent Domains feed include high risk, new domains. These domains have only recently become active, and share one or more characteristics with other known malicious domains to warrant concern.

Newly Observed Emergent Domains

noed.rpz.infoblox.local

The NOED feed includes recently created and newly active domain names. These are not necessarily suspicious but some organizations may wish to log traffic going to these domains as there is a low likelihood that these domains would be visited normally.

...

Feed Availability

Feed Name

Essentials

Business On-Prem

Advanced

Infoblox Base

Infoblox Base IP

NA

Infoblox High Risk

NA

NA

Infoblox Medium Risk

NA

NA

Infoblox Low Risk

NA

NA

Infoblox Informational

NA

For information for adding the new feeds and sizing requirements to your appliance, see Sizing Guidelines for Trinzic Appliances

...

  • In NIOS Grid Manager, navigate to Data Management > DNS > Response Policy Zones.

  • Identify the current NIOS feeds for removal. These can be identified by their names:

    • base.rpz.infoblox.local

    • antimalware.rpz.infoblox.local

    • ransomware.rpz.infoblox.local

    • malware-dga.rpz.infoblox.local

    • antimalware-ip.rpz.infoblox.local

    • suspicious-med.rpz.infoblox.local

    • suspicious-lookalikes.rpz.infoblox.local

    • suspicious-noed.rpz.infoblox.local

    • noed.rpz.infoblox.local

      Note: The availability of the new RPZ feeds is dependent on subscription level. 

  • The old NIOS RPZ feeds to be removed prior to replacing with the new feeds.

    Note: If you have a large number of RPZs, use the search function to locate the feeds to be removed.

    Searching for specific RPZs to be removed.

  • Select the checkbox associated with one of the feeds to be removed.

  • Click the trash can icon or the Delete button in the toolbar. 

    Removing the old RPZ feeds from NIOS.

      

  • Click Yes in the Delete Confirmation dialogue. 

    Confirming the removal of the selected feeds. The removed feeds will be moved to the Recycle Bin.

  • If you are removing multiple feeds, repeat steps 3-5 for each.

  • Deletion of RPZs requires a service restart.  Click Restart located in the top, yellow banner to perform a system restart. 

    image-20240506-205106.png

  • In the Restart Grid Services dialog, adjust Restart Method if desired and click Restart.

    Selecting a restart method from among the restart options.

...

  1. In NIOS Grid Manager, navigate to Data Management > DNS > Response Policy Zones.

  2. Click the add icon or the Add button in the toolbar. 

    The new NIOS RPZ feeds added in order of recommended order (slots 0 through 5).

  3. On Step 1 of the Add Response Policy Zone Wizard, select Add Response Policy Zone Feed.

  4. Click Next.

    The first step of adding a response policy zone feed.

  5. On Step 2, paste the Name of the feed, as copied from the Infoblox Portal.

  6. Optionally, adjust Policy Override and Severity. Note: This should reflect the policy used on the feeds being replaced.

  7. Click Next.

    The second step of adding a response policy zone feed includes providing a name for the feed and optionally adjusting the policy override and severity.

  8. On Step 3, use the Add button dropdown to select External PrimaryNote: To save time, you can instead use a nameserver group configured with the external primary and any Grid secondaries to be used for all RPZs. Refer to NIOS Documentation for additional information on creating nameserver groups.

    The third step of adding a response policy zone feed involves selecting the External Primary.

  9. Enter a Name. Note: This field is for reference purpose only, use any name you choose.

  10. Enter the Address of the distribution server as copied from the Infoblox Portal.

  11. Select the box for Use TSIG.

  12. Enter the Key Name as copied from the Infoblox Portal.

  13. Select the Key Algorithm as noted from the Infoblox Portal.

  14. Enter the Key Data as copied from the Infoblox Portal.

  15. Click Add.

    Adding configuration information in the TSIG text fields.

  16. Use the Add button followed by selecting Grid Secondary from among the menu option choices.

    Adding a Grid Secondary.

  17. Click Select followed by choosing the NIOS member to update. Note: You can configure a single secondary to be “Lead Secondary”. If you select this, then that member will be the only one to reach out to the external primary. The feed is then redistributed between members using zone transfers.

  18. Click Add.

    Selecting the NIOS member to update.

  19. (Optional) Repeat Steps 17 and 18 to add additional NIOS appliances as secondaries. 

  20. Click Save & Close.

    Adding secondary nameservers.

  21. Repeat steps 2-20 for each feed you are adding.

  22. When adding an RPZ a service restart is In the banner at the top of the Grid Manager window, click on Restart.

    Click Restart to remove the desired feeds and restart NIOS.

  23. In the Restart Grid Services dialog, adjust Restart Method if desired and click Restart.

    Selecting a restart method from among the restart options to restart the Grid Service.

  24. (Optional) Once you have added all feeds, use the Order Response Policy Zones button in the Toolbar to change the order feeds are applied. 

  25. In the Order Response Policy Zones dialog, use the arrows to change the

  26. Click OK when complete. 

    Configuring Order Response Zones for the new NIOS RPZ feeds.

    Image: Configuring Order Response Zones for the new NIOS RPZ feeds.

  27. Changing the order of RPZs requires a service restart to take effect. In the banner at the top of the Grid Manager window, click on Restart.

  28. In the Restart Grid Services dialog, adjust Restart Method if desired and click Restart.

...