...
- Obtain and install valid RPZ and Threat Analytics licenses on the appliance that is used to support analytics. For more information about licenses, see About Infoblox Threat Insight. Note that you must have the threat analytics service running on the member serving recursive DNS queries or have recursive DNS queries forwarded to another DNS server. To generate reports that contain statistics about DNS tunneling, you must also configure a reporting appliance in the Grid.
- Configure admin permissions so admin users can manage the threat analytics service and analytics related tasks. For information about how to configure admin permission, see Managing Permissions.
- Start the threat analytics service on the appliance that has the Create and add a new RPZ and use it as the designated mitigation blacklist feed so the appliance can transfer all blacklisted domains to this feed. For more information, see Configuring a Local RPZ as the Mitigation Blacklist Feed. Ensure that you configure an appropriate policy for this RPZ. To monitor the threat analytics service before actually blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block offending domains, set Policy Override to None (Given).
- Configure admin permissions so admin users can manage the threat analytics service and analytics related tasks. For information about how to configure admin permission, see Managing Permissions.
- Start the threat analytics service on the appliance that has the Threat Analytics license installed, as described in Starting and Stopping the Threat Analytics Service.
...
Note: The analytics functionality only works on recursive servers and forwarding servers that use BIND as the DNS resolver; it does not function on authoritative servers or servers that use Unbound as the DNS resolver.
...
.
...
After you set up Infoblox Threat Insight to mitigate DNS data exfiltration, you can do the following to manage it:
...