Versions Compared

Version Old Version 8 New Version Current
Changes made by

Gary Leicht

Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


In preparation of the August 2023 feed changes, Infoblox recommends the following rule action changes to your feed policy rules

Note
titleAdvisory

For information on recommended rule actions to be applied to feeds as replacement to the deprecated SURBL feeds, see Recommended Feed Configuration to Replace the SURBL Feeds

...

titleAlert

New feed recommendations: It is recommended that you do the following regarding the new feeds:

  • Add Suspicious Domains with one of the policy actions to Block.
  • Add Suspicious Lookalikes with one of the policy actions to  Block.
  • Add Suspicious NOED with one of the policy actions to  Block.

The following table includes the list of feeds that we will be retiring:

...

Feed

...

RPZ Name

...

Retirement Date

...

Reason

...

Bot-IP

...

bot-ip.rpz.infoblox.local

...

4/1/2023

...

IP addresses are frequently reused for multiple sites, and blocking the ones associated with such systems ran the high risk of inadvertent blocking (I.E. False Positive). Many indicators here could be blocked in other ways, so the source is blocked in other similar feeds, making this redundant.

...

Spambot-IP

...

spambot-ip.rpz.infoblox.local

...

4/1/2023

...

ExploitKit_IP

...

exploitkit-ip.rpz.infoblox.local

...

June 2023

...

Ext_ExploitKit_IP

...

ext-exploitkit-ip.rpz.infoblox.local

...

June 2023

...

Ext_TOR_Exit_Node_IP 

...

ext-tor-exit-node-ip.rpz.infoblox.local

...

June 2023

...

NCCIC_Host

...

nccic-host.rpz.infoblox.local

...

June 2023

...

The curation process for these feeds (I.E. removing false positives) frequently left these feeds empty. The ones that remained are present in other feeds, making these feeds redundant.

...

NCCIC_IP

...

nccic-ip.rpz.infoblox.local

...

June 2023

...

.

...

For information on adding and removing feeds from a security policy, see the following: 

...

  • Removing Feeds from a Security Policy

    • Note
    title Feed Precedence Order
    • When configuring feed precedence order, Please remember to prioritize feeds configured with a Block action (Block - No Redirect, Block - Default Redirect, and/or Block - Redirect - <custom redirect name>) by placing them in positions of higher precedence in your policy compared to feeds configured with an Allow action (Allow - With Log, Allow - No Log, and/or Allow - Local Resolution).Placing Blocked feeds higher in policy precedence order than Allowed feeds ensures that your security policy performs as intended.
    • Ensure that you understand the ramification of overriding the default action for any threat feeds and Threat Insight rules before doing so.


    Info

    The recommended rule actions are for reference only. They represent the results of lab testing in a controlled environment focused on individual protocol services. Enabling additional protocols, services, cache hit ratio for recursive DNS, and customer environment variables will affect performance. To design and size a solution for a production environment, please contact your Infoblox Solution Architect.


    The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy available May 2024:

    Feed NameDefault ActionDefault Precedence
    Default Allow ListAllow - No Log1
    Default Bloxk ListBlock  – No Redirect2
    Infoblox BaseBlock  – No Redirect3
    Infoblox Base IPBlock  – No Redirect4
    Infoblox High RiskBlock  – No Redirect5
    Threat Insight - Zero Day DNSBlock  – No Redirect6
    Infoblox Medium RiskBlock  – No Redirect7
    Threat insight - DGAAllow – With Log8
    Threat Insight-Data ExfiltrationAllow – With Log9
    Threat Insight-DNS MessengerAllow – With Log10
    Infoblox Low RiskAllow – With Log11
    Infoblox InformationalAllow – With Log12
    Threat insight - Notional Data ExfiltrationAllow – With Log13



    The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy (to be supported until December 2024 and deprecated after December 2024):

    Feed NameDefault ActionDefault Precedence
    Base HostnamesBlock  – No Redirect1
    AntiMalwareBlock  – No Redirect2
    Malware_DGA HostnamesBlock  – No Redirect3
    RansomwareBlock  – No Redirect4
    Public_DOHBlock  – No Redirect5
    Public_DOH_IPBlock  – No Redirect6
    DomainAllow – With Log7
    Threat Insight-Data ExfiltrationAllow – With Log8
    Threat Insight - Notional Data Exfiltration Allow – With Log9
    Threat Insight-
    Fast FluxAllow – With Log10Threat Insight-
    DNS MessengerAllow – With Log
    11
    10
    AntiMalware_IPAllow – With Log
    12
    11
    Ext_Base_AntiMalwarAllow – With Log
    13
    12
    Ext_RansomwareAllow – With Log
    14
    13
    Ext_AntiMalware_IPAllow – With Log
    15
    14
    DHS_AIS_DomainAllow – With Log
    16
    15
    CryptoCurrencyAllow – With Log
    17
    16
    TOR_Exit_Node_IPAllow – With Log
    18
    17


    For information on adding and removing feeds from a security policy, see the following: 

    ...