Versions Compared

Version Old Version 26 New Version Current
Changes made by

Gary Leicht

Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Allow (= Allow but no log)
  2. Redirect
  3. Block
  4. Log (= Allow and log)

Infoblox Platform Platform automatically creates the following default global policies. If you are concerned about DNS data exfiltration through DNS tunneling, DNSMessenger, Fast Flux, and DGA (including Dictionary DGA), you can add any or all of these policies to the security policy for a allow list or backlist. Note that you cannot modify or delete these default policies.

...

  • Threat Insight – DNS Messenger: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks through the DNSMessenger malware, a Remote Access Trojan (RAT), that attackers use to conduct malicious Powershell commands on compromised devices. Threat Insight – Fast Flux: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks using the Fast Flux technique. Fast Flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind a network of compromised hosts acting as proxies. It can also be a combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery.
  • Threat Insight – DGA: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks using the Domain Generation Algorithm (DGA). DGA is a scheme used by malwares for domain fluxing by generating variations of a given domain name. They can be used to create a large number of domain names used as rendezvous points with command and control servers, in an attempt to evade detection by signature filters, block lists, reputation systems, security gateways, intrusion prevention systems, and other security methods.
  • Threat Insight - Zero Day DNSThe default action for Zero Day DNS is Block - No Redirect. This list features real-time streaming detection. It is designed to identify domains implicated in threat campaigns immediately after their registration, eliminating the aging period. It effectively blocks threat indicators in the initial stage of the threat lifecycle, specifically within 1 to 2 minutes following their registration. This proactive approach ensures the protection of our users against threats even before the commencement of the threat campaign. Infoblox blocks these domains using  short duration TTL of 48 hours by which time other security system in place will have enough information to protect per the exisitng policy. 

...