In preparation of the August 2023 feed changes, Infoblox recommends the following rule action changes to your feed policy rules.
Advisory
For information on recommended rule actions to be applied to feeds as replacement to the deprecated SURBL feeds, see Recommended Feed Configuration to Replace the SURBL Feeds.
Alert
New feed recommendations: It is recommended that you do the following regarding the new feeds:
- Add Suspicious Domains with one of the policy actions to Block.
- Add Suspicious Lookalikes with one of the policy actions to Block.
- Add Suspicious NOED with one of the policy actions to Block.
The following table includes the list of feeds that we will be retiring:
Feed | RPZ Name | Retirement Date | Reason |
Bot-IP | bot-ip.rpz.infoblox.local | 4/1/2023 | IP addresses are frequently reused for multiple sites, and blocking the ones associated with such systems ran the high risk of inadvertent blocking (I.E. False Positive). Many indicators here could be blocked in other ways, so the source is blocked in other similar feeds, making this redundant. |
Spambot-IP | spambot-ip.rpz.infoblox.local | 4/1/2023 | |
ExploitKit_IP | exploitkit-ip.rpz.infoblox.local | June 2023 | |
Ext_ExploitKit_IP | ext-exploitkit-ip.rpz.infoblox.local | June 2023 | |
Ext_TOR_Exit_Node_IP | ext-tor-exit-node-ip.rpz.infoblox.local | June 2023 | |
NCCIC_Host | nccic-host.rpz.infoblox.local | June 2023 | The curation process for these feeds (I.E. removing false positives) frequently left these feeds empty. The ones that remained are present in other feeds, making these feeds redundant. |
NCCIC_IP | nccic-ip.rpz.infoblox.local | June 2023 |
As these feeds are being retired, NIOS platforms will no longer be able to download them. This may present itself as a problem with the Zone transfer. To avoid this issue, these feeds should be removed as soon as possible. As they have been empty for a long time, there will be no negative effect on the organization’s security posture. This only affects NIOS platforms using these RPZ feeds, as cloud-based configurations are updated automatically.
For information on adding and removing feeds from a security policy, see the following:
Feed Precedence Order
- When configuring feed precedence order, Please remember to prioritize feeds configured with a Block action (Block - No Redirect, Block - Default Redirect, and/or Block - Redirect - <custom redirect name>) by placing them in positions of higher precedence in your policy compared to feeds configured with an Allow action (Allow - With Log, Allow - No Log, and/or Allow - Local Resolution).Placing Blocked feeds higher in policy precedence order than Allowed feeds ensures that your security policy performs as intended.
- Ensure that you understand the ramification of overriding the default action for any threat feeds and Threat Insight rules before doing so.
The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy available May 2024:
| Feed Name | Default Action | Default Precedence |
|---|---|---|
| Default Allow List | Allow - No Log | 1 |
| Default Bloxk List | Block – No Redirect | 2 |
| Infoblox Base | Block – No Redirect | 3 |
| Infoblox Base IP | Block – No Redirect | 4 |
| Infoblox High Risk | Block – No Redirect | 5 |
| Threat Insight - Zero Day DNS | Block – No Redirect | 6 |
| Infoblox Medium Risk | Block – No Redirect | 7 |
| Threat insight - DGA | Allow – With Log | 8 |
| Threat Insight-Data Exfiltration | Allow – With Log | 9 |
| Threat Insight-Fast Flux | Allow – With Log | 10 |
| Threat Insight-DNS Messenger | Allow – With Log | 11 |
| Infoblox Low Risk | Allow – With Log | 12 |
| Infoblox Informational | Allow – With Log | 13 |
| Threat insight - Notional Data Exfiltration | Allow – With Log | 14 |
The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy (deprecated May 2024):
| Feed Name | Default Action | Default Precedence |
|---|---|---|
| Base Hostnames | Block – No Redirect | 1 |
| AntiMalware | Block – No Redirect | 2 |
| Malware_DGA Hostnames | Block – No Redirect | 3 |
| Ransomware | Block – No Redirect | 4 |
| Public_DOH | Block – No Redirect | 5 |
| Public_DOH_IP | Block – No Redirect | 6 |
| Domain | Allow – With Log | 7 |
| Threat Insight-Data Exfiltration | Allow – With Log | 8 |
| Threat Insight - Notional Data Exfiltration | Allow – With Log | 9 |
| Threat Insight-Fast Flux | Allow – With Log | 10 |
| Threat Insight-DNS Messenger | Allow – With Log | 11 |
| AntiMalware_IP | Allow – With Log | 12 |
| Ext_Base_AntiMalwar | Allow – With Log | 13 |
| Ext_Ransomware | Allow – With Log | 14 |
| Ext_AntiMalware_IP | Allow – With Log | 15 |
| DHS_AIS_Domain | Allow – With Log | 16 |
| CryptoCurrency | Allow – With Log | 17 |
| TOR_Exit_Node_IP | Allow – With Log | 18 |
For information on adding and removing feeds from a security policy, see the following: