Feed Revamp for NIOS

NIOS RPZ feed recommendations to use after the feed revamp

This document provides NIOS RPZ feed recommendations, the release of new threat feeds in April 2024, and best practices for transitioning to the new threat feeds.

  • Infoblox offers a set of new RPZ feeds — Infoblox Base, High Risk, Medium Risk, Low Risk, and Informational — designed to replace the deprecated ones.

  • The old RPZ feeds will be deprecated, while the new replacements will be released in April 2024.

  • Infoblox recommends switching to the new threat feeds in April 2024, for continued comprehensive threat protection.

  • Best practices involve removing to-be-deprecated feeds and replacing them with recommended feeds from Infoblox. This overlapping period of time between the release of the new feeds and the deprecation of the old feeds should allow sufficient time to transition to the new threat feeds.


To download the video, click NIOS_RPZ_Feed_Migration.mp4.

As part of Infoblox’s mission to improve the quality and value of the Infoblox Threat Defense product line, we are simplifying threat feeds for easy and correct security policy action.

We are also upgrading our security feed structure to simplify the policy action on those feeds, to enable the right security posture. Beyond high-quality feeds, it's equally important to have the right policy action in place for those detections to block and protect users. With the new structure, feeds’ names reflect the severity of the indicators it carries, per threat and confidence score of the indicator; therefore, it is easy and intuitive to apply the right action for those feeds. General Availability: End of April, 2024. Earlier, when a malicious domain’s TTL expires, the domain was added to the corresponding Extended feeds, extending their lifetime. We updated that logic to verify the validity of the domain, on expiry.

This guide aims to facilitate the transition from the soon-to-be deprecated Infoblox Threat Defense feeds, which are to be integrated into NIOS Response Policy Zones (RPZs). Infoblox recommends that NIOS users currently relying on the soon-to-be-deprecated feeds switch to the new feeds as they become available in April 2024, to ensure continued comprehensive threat protection.

Best Practices

Infoblox recommends the following as best practices for customers currently using the feeds to be deprecated:

  • Remove all to-be-deprecated feeds from NIOS RPZ and replace the deprecated feeds with the recommendations provided by Infoblox. NIOS will no longer be able to sync the to-be-deprecated feeds from the Infoblox Portal, and this will lead to an error state.

  • When replacing feeds with the recommendations below, consider policy settings, such as logging vs. blocking, of currently used feeds and replicate them for the replacements.

RPZ Feeds Scheduled for Deprecation

The following feeds are being deprecated. In their place, Infoblox offers a set of new RPZ feeds designed to replace the deprecated feeds. 

Deprecated RPZ Feeds

Deprecated RPZ Feed Name


Deprecated RPZ Feeds

Deprecated RPZ Feed Name


Base Hostnames


Enables protection against known hostnames that are dangerous as destinations, such as APT, Bot, Compromised Host/Domains, Exploit Kits, Malicious Name Servers, and Sinkholes.



Enables protection against known malicious hostname threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active phishing sites.



Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware from contacting the servers, which it must do to encrypt your files.

Malware DGA Hostnames


Domain generation algorithms (DGAs) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. Examples are Ramnit, Conficker, and Banjori.

Antimalware IP


Enables protection against known malicious or compromised IP addresses. These are known to host threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.




The Suspicious Domains feed enables protection against hostnames that have not been directly linked to malicious behavior but behave in a manner that suggests malicious behavior may be imminent.

Suspicious Lookalike


The Suspicious Lookalikes feed includes domains that appear to impersonate other trusted domains but have demonstrated enough abnormal behavior to warrant concern.

Suspicious NOED


The Suspicious Emergent Domains feed includes high-risk, new domains. These domains have only recently become active and warrant concern because they share one or more characteristics with other known malicious domains.

Newly Observed Emergent Domains


The NOED feed includes recently created and newly active domain names. These are not necessarily suspicious, but some organizations may wish to log traffic going to these domains as there is a low likelihood that these domains would be visited normally.

Deprecation of the Extended RPZ Feeds

With the deprecation of the old RPZ feeds and the release of the new RPZ feeds, Infoblox will also be deprecating the extended feeds listed below. These feeds have lately been carrying zero indicators. Earlier when a malicious domain’s TTL expired, the domain was added to the corresponding Extended feeds, extending their lifetime. We updated that logic to verify the validity of the domain, on expiry. The domain is added to the same feed if it is still valid (as opposed to separate Extended feeds). As a result, the extended feeds have been carrying zero indicators lately. At this point, we can effectively deprecate the following extended feeds:

Deprecated Extended RPZ Feed

Deprecated Extended RPZ Feed’s Name

Deprecated Extended RPZ Feed

Deprecated Extended RPZ Feed’s Name

Extended Base & anti-malware Hostnames


Extended Ransomware


Extended AntiMalware IPs


We also do not see much value having a separate feed for Spam IPs. IPs can be reassigned and result in false positives. Those confirmed IPs that are part of malicious infrastructure are already part of Critical IP feeds that we monitor and update. This spambot IP feed has had 0 indicators for a while now; therefore, we can effectively deprecate this feed.

  • Spambot IPs DNSBL (spambot-dnsbl-ip.rpz.infoblox.local)

Deprecation of the Combination RPZ Feeds

Given that we have consolidated and simplified the core feed structure, there is no need for the Combination feeds. Combination feeds were introduced to provide the ability to abstract the details of individual feeds and create a wrapper for extreme, high, medium, and low risk. The consolidated and simplified new core feeds provide that in the feed itself, and the name of the core feeds reflects the risk level. For those reasons, we deprecated the following Combination feeds:

Deprecated Combination RPZ Feed

Deprecated Combination RPZ Feed’s Name

Deprecated Combination RPZ Feed

Deprecated Combination RPZ Feed’s Name

Extreme Block


Extreme Log


High Block


High Log


Med Block


Med Log


Low Block


Low Log


Availability of New NIOS RPZ Feeds (April 2024)

The following NIOS RPZ feeds are available based on your subscription level:

Feed Availability

Feed Availability

Feed Name


Business On-Prem


Infoblox Base

Infoblox Base IP


Infoblox High Risk



Infoblox Medium Risk



Infoblox Low Risk



Infoblox Informational


Feed’s Name

RPZ Feed’s Name


Infoblox Base 


Infoblox Base feed enables protection against known malicious or compromised domains, such as known malware, ransomware, APTs, exploit kits, malicious name servers, and sinkholes. We recommend blocking them for all users.

Infoblox Base IP


Infoblox Base IP feed enables protection against known malicious or compromised IP addresses. These IPs are known infrastructure to host threats that can act on or control a system by way of C&C malware downloads and active phishing sites. We recommend blocking them for all users.

Infoblox High Risk


Infoblox High Risk feed includes domains that are not confirmed yet but are highly suspicious. It is very likely to be used in a malicious act at some point. These domains, though unconfirmed, carry high threat and high confidence, so we recommend blocking them for most users. They include suspicious domains, suspicious lookalikes, and suspicious NOED (Newly Observed Emergent Domains) with a high combined score of threat and confidence levels.

Infoblox Medium Risk


Infoblox Medium Risk feed includes domains that are not confirmed yet but still pose medium risk. They are suspicious domains with a combined score of threat and confidence levels lower than those of domains in the High Risk feed but higher than those of domains in the Low Risk feed. They could still be used in a malicious act, so we recommend blocking them for most users. The feed includes Suspicious domains, Suspicious Lookalikes, and Suspicious NOED (Newly Observed Emergent Domains) with medium combined score of threat and confidence levels.

Infoblox Low Risk



Infoblox Low Risk feed includes domains that are not confirmed yet but are still suspicious. It is possible the domains can be used in a malicious act. These domains carry a lower combined score of threat and confidence levels. We recommend monitoring of this feed with the Allow-WithLog option, for most users, and having it in block mode for sensitive environments. The feed includes Suspicious domains, Suspicious Lookalikes, and Suspicious NOED (Newly Observed Emergent Domains) with a lower combined score of threat and low confidence levels.

Infoblox Informational


Infoblox Informational feed includes domains with low threat and confidence levels. These are for informational use per policy and sensitivity of the environment. The feed carries Newly Observed Emergent Domains (NOED). We recommend monitoring it with the Allow-WithLog option, for most users, and having it in block mode for sensitive environments: New domains are not mission critical, for the most part, and it is best that you enable them when they are established for a longer time.

Recommended Replacement Feed Mapping for NIOS (based on the subscription level)

The following are the recommended NIOS feed replacements based on the subscription level. For Infoblox Threat Defense Advanced, please pay special attention to your appliance’s capacity when selecting replacement feeds.

Infoblox Threat Defense Essentials

Warning: The conversions of the old feed to new feed are shown for parity reasons. You need to configure per your appliance and what is allowed per the appliance sizing. If you need the feed but your appliance cannot handle that volume, please work with sales to upgrade the appliance. For feed recommendations per appliance sizing, please see Sizing Guidelines for Trinzic Appliances.

Infoblox Threat Defense Essentials RPZ Feed Mapping

(old to new feeds)

(old to new feeds)

Infoblox Threat Defense Essentials RPZ Feed Mapping

(old to new feeds)

Old Feeds


New Feed

Base Hostnames
Malware DGA hostnames


Infoblox Base

Infoblox Business On-Prem 

Infoblox Business On-Prem and Business Cloud subscriptions contain all feeds included with the Infoblox Essentials subscription in addition to the following RPZ feeds:

Warning: The conversions of the old feed to new feed are shown for parity reasons. You need to configure per your appliance and what is allowed per the appliance sizing. If you need the feed but your appliance cannot handle that volume, please work with sales to upgrade the appliance. For feed recommendations per appliance sizing, please see Sizing Guidelines for Trinzic Appliances.

Infoblox Threat Defense Business On-Prem and Business Cloud RPZ Feed Mapping

(old to new feeds)

(old to new feeds)

Infoblox Threat Defense Business On-Prem and Business Cloud RPZ Feed Mapping

(old to new feeds)

Old Feeds


New Feeds

Infoblox Antimalware IP


Infoblox Base IP

Newly Observed Emergent Domains (NOED)


Infoblox Informational

Infoblox Business On-Prem contains all feeds included with an Infoblox Essentials subscription in addition to the feeds listed above.

Infoblox Threat Defense Advanced

Warning: The conversions of the old feed to new feed are shown for parity reasons. You need to configure per your appliance and what is allowed per the appliance sizing. If you need the feed but your appliance cannot handle that volume, please work with sales to upgrade the appliance. For feed recommendations per appliance sizing, please see Sizing Guidelines for Trinzic Appliances.

If you are a NIOS subscriber with an Infoblox Threat Defense Advanced subscription, please pay special attention to your appliance’s capacity when selecting your RPZ feeds.

The Infoblox Threat Defense Advanced subscription contains all feeds included with Infoblox Essentials and Infoblox Business tier subscriptions in addition to the following RPZ feeds:

Infoblox Threat Defense Advanced RPZ Feed Mapping

(old to new feeds)

(old to new feeds)

Infoblox Threat Defense Advanced RPZ Feed Mapping

(old to new feeds)

Old Feeds


New Feeds

Suspicious Lookalikes
Suspicious NOED


Infoblox High Risk
Infoblox Medium Risk
Infoblox Low Risk

The Infoblox Threat Defense Advanced subscription contains all feeds included with Infoblox Essentials and Infoblox Business tier subscriptions in addition to the feeds listed above. If you are a NIOS subscriber with an Infoblox Threat Defense Advanced subscription, please pay special attention to your appliance’s capacity when selecting your RPZ feeds.

Removal of NIOS RPZ Feeds to be Deprecated

Note: The old feeds are being deprecated; however, the new feeds that are intended to be their replacements were released in April 2024.

Before adding the new NIOS RPZ feeds, you must first identify and remove the existing feeds. To do this, follow these steps:

  • In NIOS Grid Manager, navigate to Data Management > DNS > Response Policy Zones.

  • Identify the current NIOS feeds for removal. These can be identified by their names:

    • base.rpz.infoblox.local

    • antimalware.rpz.infoblox.local

    • ransomware.rpz.infoblox.local

    • malware-dga.rpz.infoblox.local

    • antimalware-ip.rpz.infoblox.local

    • suspicious.rpz.infoblox.local

    • suspicious-lookalikes.rpz.infoblox.local

    • suspicious-noed.rpz.infoblox.local

    • noed.rpz.infoblox.local

    • ext-base-antimalware.rpz.infoblox.local

    • ext-ransomware.rpz.infoblox.local

    • ext-antimalware-ip.rpz.infoblox.local

    • spambot-dnsbl-ip.rpz.infoblox.local

    • ib-extreme-block.rpz.infoblox.local

    • ib-extreme-log.rpz.infoblox.local

    • ib-high-block.rpz.infoblox.local\

    • ib-high-log.rpz.infoblox.local

    • ib-med-block.rpz.infoblox.local

    • ib-med-log.rpz.infoblox.local

    • ib-low-block.rpz.infoblox.local

    • ib-low-log.rpz.infoblox.local

Note: The availability of the new RPZ feeds is dependent on the subscription level.

The old NIOS RPZ feeds to be removed prior to replacing with the new feeds.
Image: The old NIOS RPZ feeds to be removed prior to being replaced with the new feeds. 


Note: If you have a large number of RPZs, use the search function to locate the feeds to be removed.

Searching for specific RPZs to be removed.
Image: Searching for specific RPZs to be removed. 


  • Select the checkbox associated with one of the feeds to be removed.

  • Click the trash can icon or the Delete button in the toolbar.

    Removing the old RPZ feeds from NIOS.
    Image: Removing the old RPZ feeds from NIOS.


  • Click Yes in the Delete Confirmation dialog. 

    Confirming the removal of the selected feeds. The removed feeds will be moved to the Recycle Bin.
    Image: Confirming the removal of the selected feeds.
  • If you are removing multiple feeds, repeat steps 3-5 for each.

  • Deletion of RPZs requires a service restart. Click Restart located in the top yellow banner to perform a system restart. 

    Image: Clicking Restart to remove the desired feeds and restart NIOS. 

  • In the Restart Grid Services dialog, adjust the Restart Method if desired, and then click Restart.

    Selecting a restart method from among the restart options.
    Image: Selecting a restart method from among the restart options.


Adding the New NIOS RPZ Feeds Released in April 2024  

Feed and Distribution Server Configuration Values

To get the configuration information for the new, replacement NIOS RPZ feeds, you need to find out the feeds’ names and the configuration details for the distribution server.

  1. In the Infoblox Portal, navigate to Configure > Security > On-Prem DNS Firewall.

  2. Click Feed Configuration Values.

    Image: Clicking Feed Configuration Values (Step 2) of the feed configuration process. 

  3. In the Threat Feed Details list, locate the first feed you will configure. Refer to the table in the Replacement Feed Mapping section for recommended feeds.

  4. Click the Copy button for the desired feed. Note: Paste this and other configuration data copied in this section into a text file, for easy retrieval when configuring the feeds in NIOS.

    The Threat Feed Details list from the Cloud Services Portal.
    Image: The Threat Feed Details list from the Infoblox Portal.

  5. Repeat steps 3 and 4 for each feed. Refer to the table in the Replacement Feed Mapping section for recommended feeds.

  6. Click Close.

  7. Click Distribution Server Configuration Values.

    Image: Clicking Distribution Server Configuration Values (Step 3). 


  8. Scroll down to locate the Distribution Server you will use, and click the Copy button for the IPv4 or IPv6 server. Note: Paste this and other configuration data copied in this section into a text file, for easy retrieval when configuring the feeds in NIOS.

  9. Scroll down to the TSIG section.

  10. Note the Key Algorithm that is configured.

  11. Copy the Key. Note: Paste this and other configuration data copied in this section into a text file, for easy retrieval when configuring the feeds in NIOS.

  12. Copy the TSIG. Note: Paste this and other configuration data copied in this section into a text file, for easy retrieval when configuring the feeds in NIOS.

  13. Click Cancel to exit the Distribution Server. 

The Distribution Server  and TSIG details panel configuration.
Image: The Distribution Server and TSIG details panel configuration.

Adding RPZ Feeds in NIOS 

To add the new, replacement RPZ feeds in NIOS, perform the following:

  1. In NIOS Grid Manager, navigate to Data Management > DNS > Response Policy Zones.

  2. Click the add icon or the Add button in the toolbar.

    The new NIOS RPZ feeds added in order of recommended order.
    Image: The new NIOS RPZ feeds added in order of recommended order (slots 0 through 5). Note: Feed availability is dependent on the subscription level.

  3. In the first step of the Add Response Policy Zone wizard, select Add Response Policy Zone Feed.

  4. Click Next.

    The first step of adding a response policy zone feed.
    Image: The first step of adding an RPZ feed. 

  5. In the second step, paste the Name of the feed, as copied from the Infoblox Portal.

  6. Optionally, adjust Policy Override and Severity.

  7. Click Next.

The second step of adding a response policy zone feed includes providing a name for the feed and optionally adjusting the policy override and severity.
Image: The second step of adding an RPZ feed: providing a name for the feed and, optionally, adjusting the policy override and severity.
  1. On Step 3, use the Add button dropdown to select External PrimaryNote: To save time, you can instead use a nameserver group configured with the external primary and any Grid secondaries to be used for all RPZs. Refer to NIOS Documentation for additional information on creating nameserver groups.

The third step of adding a response policy zone feed involves selecting the External Primary.
Image: The third step of adding an RPZ feed: select the external primary server. 
  1. Enter a Name. Note: This field is for reference only; use any name you choose.

  2. Enter the Address of the distribution server, copied from the Infoblox Portal.

  3. Select the box for Use TSIG.

  4. Enter the Key Name as it is copied from the Infoblox Portal.

  5. Select the Key Algorithm as it is copied from the Infoblox Portal.

  6. Enter the Key Data as it is copied from the Infoblox Portal.

  7. Click Add.

    Adding configuration information in the TSIG text fields.
    Image: Adding configuration information in the TSIG text fields.

  8. Use the Add button, and then select Grid Secondary from among the menu choices.

    Adding a Grid Secondary.
    Image: Adding a Grid Secondary. 

  9. Click Select, and then choose the NIOS member to update. Note: You can configure a single secondary to be “Lead Secondary”. If you select this, then that member will be the only one to reach out to the external primary. The feed is then redistributed between members by using zone transfers.

  10. Click Add.

    Selecting the NIOS member to update.
    Image: Selecting the NIOS member to update. 


  11. (Optional) Repeat Steps 17 and 18 to add more NIOS appliances as secondaries.

  12. Click Save & Close.

    Adding secondary nameservers.
    Image: Adding secondary nameservers. 


  13. Repeat steps 2-20 for each feed you are adding.

  14. Adding an RPZ requires a service restart. In the banner at the top of the Grid Manager window, click Restart.

    Click Restart to remove the desired feeds and restart NIOS.
    Image: Clicking Restart to remove the desired feeds and restart NIOS.

  15. In the Restart Grid Services dialog, adjust the Restart Method if desired and click Restart.


    Selecting a restart method from among the restart options to restart the Grid Service.
    Image: Selecting a restart method from among the restart options to restart the Grid Service.

  16. (Optional) Once you have added all feeds, use the Order Response Policy Zones button under the Toolbar to change the order in which feeds are applied. 


    Image: Clicking the Order Response Policy Zones button to change the feed order. 

  17. In the Order Response Policy Zones dialog, use the arrows to change the

  18. Click OK when done. 

    Configuring Order Response Zones for the new NIOS RPZ feeds.
    Image: Configuring Order Response Zones for the new NIOS RPZ feeds.
  19. Changing the order of RPZs requires a service restart to take effect. In the banner at the top of the Grid Manager window, click Restart.

  20. In the Restart Grid Services dialog, adjust Restart Method if desired and click Restart.

