Document toolboxDocument toolbox

Custom Lists

Owned by Gary Leicht
Last updated: Sept 06, 2024
5 min read

In addition to the predefined threat intelligence feeds that your subscription offers, you can create custom lists (containing domains and IP addresses) to define allow lists and block lists for additional protection. You can use a custom list to complement existing feeds or override the Block, Allow, Log, or Redirect action that is currently defined for an existing feed. The default custom list configurations include Default Allow ( Allow - No Log )  and Default Block ( Block - No Redirect ).

Image: A detailed view of the Feeds and Threat Insight rule panel showing the default allow and block options.  

The default custom lists are included in the default policy and allow the editing of domains, IP addresses, and tags. You can edit or modify the default custom lists per your organization's requirements. Note: Neither the Name field nor the Description field is editable. For information on editing custom lists, see Editing Custom Lists. 

Default Custom Lists

  • Default Allow: The default allow list will be added with "Allow - No Log" by default in the Default Global Policy. You can change the configuration to any Allow related actions such as "Allow - With Log" which enables only allow actions with no logging (Allow - No Log). 

    Image: A detailed view of the Feeds and Threat Insight rule panel showing the Default Allow options.

  • Default Block: The default block list will be added with "Block - No Redirect" action by default in the Default Global Policy. You can change the configuration to any Block related actions like Block - No Redirect, Block - Default Redirect or Block - Custom Redirect. 

    Image: A detailed view of the Feeds and Threat Insight rule panel showing the Default Block options.

You can add a custom list to multiple security policies or multiple custom lists to one security policy based on your business needs. When you assign multiple custom lists that contain the same domain name(s) but with different actions to the same security policy, Infoblox Platform takes actions based on the following order:

  1. Allow (= Allow but no log)
  2. Redirect
  3. Block
  4. Log (= Allow and log)

Infoblox Platform automatically creates the following default global policies. If you are concerned about DNS data exfiltration through DNS tunneling, DNSMessenger, Fast Flux, and DGA (including Dictionary DGA), you can add any or all of these policies to the security policy for a allow list or backlist. Note that you cannot modify or delete these default policies.

  • Threat Insight – Data Exfiltration:  The default action for this policy is Log. This list helps minimize the risk of DNS data exfiltration that are brought upon your networks through DNS tunneling.
  • Threat Insight - Notional Data Exfiltration: Threat Insight - Notional Data Exfiltration is part of the default feed and will be listed below Threat Insight - Data Exfiltration. (For existing customers to be aware and take advantage of this new Threat Insight - it will be automatically enabled and displayed below Threat Insight - Data Exfiltration, if that’s already enabled in existing policy). This list includes low confidence DNS Tunnel detections. The default action for this policy is Allow with Log. Ideally, only high confidence DNS Tunnel detections should be of interest and blocked, which are listed in the existing Threat Insight - Data Exfiltration list. However, there are cases where you may want to be informed of even lower confidence tunnels in your network. This Notional Data Exfiltration Threat Insight list addresses those cases. These are just suggestions for tunnel activity (hence, Notional) and not confident enough to be added to the original Threat Insight - Data Exfiltration list. Customers can also change the default action of this Notional list to Block based on the organization's sensitivity to these low confidence DNS tunnels.
    Threat Insight - Notional Data Exfiltration is part of the default feed and will be listed below Threat Insight - Data Exfiltration. (For existing customers to be aware and take advantage of this new Threat Insight - it will be automatically enabled and displayed below Threat Insight - Data Exfiltration, if that’s already enabled in existing policy)


Image: A detailed view of the Feeds and Threat Insight rule panel showing the Notional Data Exfiltration action options.

  • Threat Insight – DNS Messenger: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks through the DNSMessenger malware, a Remote Access Trojan (RAT), that attackers use to conduct malicious Powershell commands on compromised devices. 
  • Threat Insight – Rapid Domain Triage: Rapid Domain Triage detects new domains observed in customer traffic to protect them from any possible targetted or Spearphishing attacks. It follows a low regret model and blocks the domain for a short TTL of 48 hours. The domain is released after 48 hpurs, by which time other security systems in place should have enough information about this new domain to protect per policy. The default recommended action for this The TI-List is Block - No Redirect. The intent of this detection is to provide very near real-time protection on new domains used quickly in attack sequence (can detect and block within 1-2 minutes of usage). Oftentimes the new domains are not mission critical and following a low regret model, therefore it is best to have this protection in place. If for any reason the detected domains are known, are verified, and needed for use, they can be added to the Default Allow list to bypass the detection.
  • Threat Insight – Fast Flux: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks using the Fast Flux technique. Fast Flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind a network of compromised hosts acting as proxies. It can also be a combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery.
  • Threat Insight – DGA: The default action for this policy is Log. This list helps minimize the risk of malicious activities that are brought upon your networks using the Domain Generation Algorithm (DGA). DGA is a scheme used by malwares for domain fluxing by generating variations of a given domain name. They can be used to create a large number of domain names used as rendezvous points with command and control servers, in an attempt to evade detection by signature filters, block lists, reputation systems, security gateways, intrusion prevention systems, and other security methods.
  • Threat Insight - Zero Day DNS: The default action for Zero Day DNS is Block-No Redirect.. This list features real-time streaming detection. It is designed to identify domains implicated in threat campaigns immediately after their registration, eliminating the aging period. It effectively blocks threat indicators in the initial stage of the threat lifecycle, specifically within 1 to 2 minutes following their registration. This proactive approach ensures the protection of our users against threats even before the commencement of the threat campaign. Infoblox blocks these domains using  short duration TTL of 48 hours by which time other security system in place will have enough information to protect per the exisitng policy. 

Custom List Support for IPv6 Addresses

IPv6 addresses are supported in custom lists. IPv6 addresses can be added to a custom list in a similar manner as adding an IPv4 address, a fully qualified domain name (FQDN), or a CIDR. For information on creating custom lists, see Creating Custom Lists.

A custom list containing IPv6 addresses can be added to a security policy in the same manner as when adding other custom lists to a security policy. For information on adding a custom list to a security policy, see Creating Security Policies.

IPv6 addresses added to a custom list and then added to a security policy can be viewed in the Device IP column of the Security Events sub-report of the Security Activity report (Infoblox Portal > Monitor > Reports > Security Activity > Security Events).


For more information on custom lists, see the following:


Note

You must add the custom list to the security policy for a allow list or block list in order for the custom list to take effect.