...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
NIOS RPZ feed recommendations to use after the feed revamp release in January 31, 2025.
This document provides NIOS RPZ feed recommendations, the release of new threat feeds in April 2024, and best practices for transitioning to the new threat feeds.
Infoblox offers a set of new RPZ feeds designed to replace the deprecated ones, including Infoblox Base, High Risk, Medium Risk, Low Risk, and Informational.
The old RPZ feeds will be deprecated in on January 31, 2025, while the new replacements will be released in April 2024.
Infoblox recommends switching to the new threat feeds in April 2024 for continued comprehensive threat protection.
Best practices involve removing to-be-deprecated feeds before their EOS date in (January 31, 2025) and replacing them with recommended feeds from Infoblox. This overlapping period of time between the release of the new feeds and the deprecation of the old feeds should allow sufficient time to transition to the new threat feeds.
...
Remove all to-be-deprecated feeds from NIOS RPZ prior to their EOS date in on January 31, 2025. Replace the deprecated feeds with the recommendations as provided by Infoblox. When the to-be-deprecated feeds reach EOS, NIOS will no longer be able to sync them from the Infoblox Portal, leading to an error state.
When replacing feeds with the recommendations below, consider policy settings, eg., logging vs blocking, of currently used feeds and replicate them for the replacements.
RPZ Feeds Scheduled for Deprecation
...
on January 31, 2025
The following feeds are approaching end of service and are being deprecated. In their place, Infoblox offers a set of new RPZ feeds designed to replace the deprecated feeds.
Deprecated RPZ Feeds | Deprecated RPZ Feed Name | Description |
|---|---|---|
Base Hostnames | base.rpz.infoblox.local | Enables protection against known hostnames that are dangerous as destinations, such as APT, Bot, Compromised Host/Domains, Exploit Kits, Malicious Name Servers, and Sinkholes. |
AntiMalware | antimalware.rpz.infoblox.local | Enables protection against known malicious hostname threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites. |
Ransomware | ransomware.rpz.infoblox.local | Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware to contact the servers which it needs to encrypt your files. |
Malware DGA Hostnames | malware-dga.rpz.infoblox.local | Domain generation algorithm (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. Examples include Ramnit, Conficker, and Banjori. |
Antimalware IP | antimalware-ip.rpz.infoblox.local | Enables protection against known malicious or compromised IP addresses. These are known to host threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites. |
Suspicious | suspicious.rpz.infoblox.local | The Suspicious Domains feed enables protection against hostnames that have not been directly linked to malicious behavior but behave in a manner that suggests malicious behavior may be imminent. |
Suspicious Lookalike | suspicious-lookalikes.rpz.infoblox.local | The Suspicious Lookalikes feed includes domains that appear to impersonate other trusted domains, but have demonstrated enough abnormal behavior to warrant concern. |
Suspicious NOED | suspicious-noed.rpz.infoblox.local | The Suspicious Emergent Domains feed include high risk, new domains. These domains have only recently become active, and share one or more characteristics with other known malicious domains to warrant concern. |
Newly Observed Emergent Domains | noed.rpz.infoblox.local | The NOED feed includes recently created and newly active domain names. These are not necessarily suspicious but some organizations may wish to log traffic going to these domains as there is a low likelihood that these domains would be visited normally. |
...
With the deprecation of the old RPZ feeds and the release of the new RPZ feeds, infoblox will also be deprecating the extended feeds listed below. In the case of these feeds, they have lately been carrying zero indicators. Earlier when a malicious domain’s TTL expires, the domain was added to the corresponding Extended feeds, extending their lifetime. We updated that logic to verify the validity of the domain, on expiry. The domain is added to the same feed if it's still valid (as opposed to separate Extended feeds). As a result, the extended feeds were carrying zero indicators lately. At this point, we can effectively deprecate the below extended feeds.
Deprecated Extended RPZ Feed | Deprecated Extended RPZ Feed Name |
|---|---|
Extended Base & anti-malware Hostnames | ext-base-antimalware.rpz.infoblox.local |
Extended Ransomware | ext-ransomware.rpz.infoblox.local |
Extended AntiMalware IPs | ext-antimalware-ip.rpz.infoblox.local |
...
Given that we have consolidated and simplified the core feed structure, there is no need for the Combination feeds. Combination feed was introduced to provide the ability to abstract the details of individual feed and create a wrapper for extreme, high, medium and low risk. The consolidated and simplified new core feeds provide that in the feed itself and the name of the core feeds reflect the risk level. For those reasons, the below Combination feeds will be deprecated.
Deprecated Combination RPZ Feed | Deprecated Combination RPZ Feed Name |
|---|---|
Extreme Block | ib-extreme-block.rpz.infoblox.local |
Extreme Log | ib-extreme-log.rpz.infoblox.local |
High Block | ib-high-block.rpz.infoblox.local |
High Log | ib-high-log.rpz.infoblox.local |
Med Block | ib-med-block.rpz.infoblox.local |
Med Log | ib-med-log.rpz.infoblox.local |
Low Block | ib-low-block.rpz.infoblox.local |
Low Log | ib-low-log.rpz.infoblox.local |
...
Feed Availability | |||
|---|---|---|---|
Feed Name | Essentials | Business On-Prem | Advanced |
Infoblox Base | ✔ | ✔ | ✔ |
Infoblox Base IP | NA | ✔ | ✔ |
Infoblox High Risk | NA | NA | ✔ |
Infoblox Medium Risk | NA | NA | ✔ |
Infoblox Low Risk | NA | NA | ✔ |
Infoblox Informational | NA | ✔ | ✔ |
For information for adding the new feeds and sizing requirements to your appliance, see Sizing Guidelines for Trinzic Appliances.
Feed Name | RPZ Feed Name | Description |
Infoblox Base | infoblox-base.rpz.infoblox.local | Infoblox Base feed enables protection against known malicious or compromised domains. This includes known Malware, Ransomware, APTs, exploit kits, malicious Name Servers, sinkholes etc. We recommend blocking them for all users. |
Infoblox Base IP | infoblox-base-ip.rpz.infoblox.local | Infoblox Base IP feed enables protection against known malicious or compromised IP addresses. These IPs are known infrastructure to host threats that can act on or control a system by way of C&C malware downloads and active phishing sites. We recommend blocking them for all users |
Infoblox High Risk | infoblox-high-risk.rpz.infoblox.local | Infoblox High Risk feed includes domains that are not confirmed yet but are highly suspicious. It's very likely to be used in a malicious act at some point. These domains though unconfirmed carry high threat and high confidence, so we recommend blocking them for most users. It includes Suspicious domains, Suspicious Lookalikes and Suspicous NOED (Newly Observed Emergent Domains) with high combined score of threat and confidence levels. |
Infoblox Medium Risk | infoblox-med-risk.rpz.infoblox.local | Infoblox Medium Risk feed includes domains that are not confirmed yet but still pose medium risk. They are suspicious domains with lower combined score of Threat and Confidence level than High Risk feed but higher than Low Risk feed. It's still could likely be used in a malicious act, so we recommend blocking them for most users. It includes Suspicious domains, Suspicious Lookalikes and Suspicious NOED (Newly Observed Emergent Domains) with medium combined score of threat and confidence levels. |
Infoblox Low Risk | infoblox-low-risk.rpz.infoblox.local | Infoblox Low Risk feed includes domains that are not confirmed yet but are still suspicious. It's possible it can be used in a malicious act. These domains carry a lower combined score of threat and confidence levels. Its recommended to monitor with Allow-WithLog option for most users and have it in block mode for sensitive environments. It includes Suspicious domains, Suspicious Lookalikes and Suspicious NOED (Newly Observed Emergent Domains) with lower combined score of threat and low levels |
Infoblox Informational | infoblox-informational.rpz.infoblox.local | Infoblox Informational: Infoblox Informational feed includes domains with low threat and confidence levels. These are for informational use per policy and sensitivity of the environment. This feed carries Newly Observed Emergent Domains (NOED). It's recommended to monitor with Allow-WithLog option for most users and have it in block mode for sensitive environments (as new domains are not mission critical for the most part and best to enable them when they are established for a longer time). |
...
Infoblox Threat Defense Advanced RPZ Feed Mapping(old to new feeds) | ||
|---|---|---|
Old Feeds | to | New Feeds |
Suspicious | => | Infoblox High Risk |
The Infoblox Threat Defense Advanced subscription contains all feeds included with Infoblox Essentials and Infoblox Business tier subscriptions in addtion to the feeds listed above. Do note that for NIOS subscribers of a Infoblox Threat Defense Advanced subscription, attention must be placed on your appliance capacity when selecting your RPZ feeds. | ||
Removal of NIOS RPZ Feeds to be Deprecated
...
on January 31, 2025
Note: The old feeds are being deprecated in on January 31, 2025; however, the new feeds that are intended to be their replacements are being released in April 2024.
...