/
Threat Insight - Zero Day DNS Configuration
Document toolboxDocument toolbox

Threat Insight - Zero Day DNS Configuration

Owned by Gary Leicht
Last updated: Mar 04, 2025

What is Zero Day DNS?

Zero Day DNS is a detection feature designed to identify domains implicated in threat campaigns immediately after their registration, eliminating the aging period. It effectively blocks threat indicators in the initial stage of the threat lifecycle, specifically within 1 to 2 minutes following their registration.

Infoblox blocks these domains using short duration TTL of 48 hours by which time other security system in place will have enough information to protect per the existing policy. The default action for Zero Day DNS is Block-No Redirect.

Zero Day DNS is only available to Infoblox Threat Defense Advanced subscribers. The Zero Day DNS feed cannot be enabled on (and thereby does not apply to) On-Prem NIOS.

Adding the Zero Day DNS feed to a Security Policy

To add the Zero Day DNS feed to an existing security policy, do the following:

  1. Log in to the Infoblox Portal.
  2. To navigate to the Security Policies tab, in the Infoblox Portal, go to Configure > Security > Policies.
  3. Locate the security policy you wish to add to your feed. Click the expandable menu icon associated with the security policy. Then, click Edit.

    Image: Click Edit next to the security policy to be added to the feed. 

  4. Click Policy Rules in the left navigation.

    Image: Click Policy Rules in the Edit Policy wizard

  5. Click Add RuleFeeds and Threat Insight to display the list of threat feeds.

    Image: Click Add Rule Feeds and Threat Insight to display the list of threat feeds.  

  6. Locate the Zero Day DNS feed in the Security Note panel. The new Feed and Threat insight entry will be located at or near the bottom of the Policy Rules list.

    Image: Locating the entry in the Security Note panel.

  7. Click Choose a Feeds and Threat Insight. Select the Zero Day DNS feed from among the list of feeds to be added to the security policy. Once the new feed is selected, click Select to confirm the selection of the feed.

    Image: Selecting the Threat insight - Zero Day DNS feed for adding to the security policy. 

  8. Use the Up and Down arrows on the far right of the newly added policy rule to change the order of precedence for the newly added Zero Day DNS feed. Note: The Zero Day DNS feed should be placed in the seventh slot, just below the Ransomware feed. 


    Image    : Click the Up and Down arrows to change the newly added Zero Day DNS feed's precedence order

  9. The Zero Day DNS feed should be placed in the fourth slot, just below the Infoblox Base feed. 
    The available feeds, and their order
    Image    : The available feeds, and their order, in the default global policy. 

  10. Change the Action that is associated with the newly added policy rule. 

    Image: Selecting the action to be associated with the newly added policy rule. For the Zero Day DNS feed, Infoblox recommends setting the assigned action to Block - No Redirect.

  11. Click Finish to add the feed to your security policy configuration.
  12. Click Save & Close to save the newly updated security policy configuration. 

Related content