Recommended Rule Actions in Preparation of the August 2023 Feed Changes
- Gary Leicht
In preparation of the August 2023 feed changes, Infoblox recommends the following rule action changes to your feed policy rules.
Feed Precedence Order
- When configuring feed precedence order, Please remember to prioritize feeds configured with a Block action (Block - No Redirect, Block - Default Redirect, and/or Block - Redirect - <custom redirect name>) by placing them in positions of higher precedence in your policy compared to feeds configured with an Allow action (Allow - With Log, Allow - No Log, and/or Allow - Local Resolution).Placing Blocked feeds higher in policy precedence order than Allowed feeds ensures that your security policy performs as intended.
- Ensure that you understand the ramification of overriding the default action for any threat feeds and Threat Insight rules before doing so.
The recommended rule actions are for reference only. They represent the results of lab testing in a controlled environment focused on individual protocol services. Enabling additional protocols, services, cache hit ratio for recursive DNS, and customer environment variables will affect performance. To design and size a solution for a production environment, please contact your Infoblox Solution Architect.
The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy available May 2024:
| Feed Name | Default Action | Default Precedence |
|---|---|---|
| Default Allow List | Allow - No Log | 1 |
| Default Bloxk List | Block – No Redirect | 2 |
| Infoblox Base | Block – No Redirect | 3 |
| Infoblox Base IP | Block – No Redirect | 4 |
| Infoblox High Risk | Block – No Redirect | 5 |
| Threat Insight - Zero Day DNS | Block – No Redirect | 6 |
| Infoblox Medium Risk | Block – No Redirect | 7 |
| Threat insight - DGA | Allow – With Log | 8 |
| Threat Insight-Data Exfiltration | Allow – With Log | 9 |
| Threat Insight-DNS Messenger | Allow – With Log | 10 |
| Infoblox Low Risk | Allow – With Log | 11 |
| Infoblox Informational | Allow – With Log | 12 |
| Threat insight - Notional Data Exfiltration | Allow – With Log | 13 |
The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy (to be supported until December 2024 and deprecated after December 2024):
| Feed Name | Default Action | Default Precedence |
|---|---|---|
| Base Hostnames | Block – No Redirect | 1 |
| AntiMalware | Block – No Redirect | 2 |
| Malware_DGA Hostnames | Block – No Redirect | 3 |
| Ransomware | Block – No Redirect | 4 |
| Public_DOH | Block – No Redirect | 5 |
| Public_DOH_IP | Block – No Redirect | 6 |
| Domain | Allow – With Log | 7 |
| Threat Insight-Data Exfiltration | Allow – With Log | 8 |
| Threat Insight - Notional Data Exfiltration | Allow – With Log | 9 |
| Threat Insight-DNS Messenger | Allow – With Log | 10 |
| AntiMalware_IP | Allow – With Log | 11 |
| Ext_Base_AntiMalwar | Allow – With Log | 12 |
| Ext_Ransomware | Allow – With Log | 13 |
| Ext_AntiMalware_IP | Allow – With Log | 14 |
| DHS_AIS_Domain | Allow – With Log | 15 |
| CryptoCurrency | Allow – With Log | 16 |
| TOR_Exit_Node_IP | Allow – With Log | 17 |
For information on adding and removing feeds from a security policy, see the following: