Saucepan

User Tools

Site Tools

Trace:
infoblox_threat_defense:rpz_feeds

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox_threat_defense:rpz_feeds [2025/08/24 22:30] bstaffordinfoblox_threat_defense:rpz_feeds [2026/03/08 18:43] (current) – [NSDNAME and NSIP] bstafford
Line 8: Line 8:
  
 Some OpenSource feeds [[https://github.com/hagezi/dns-blocklists/tree/main/rpz|here]]. Some OpenSource feeds [[https://github.com/hagezi/dns-blocklists/tree/main/rpz|here]].
 +
 +[[https://www.isc.org/docs/BIND_RPZ.pdf|ISC Guide to RPZ Deployment]].
  
 ===== Best Practice ===== ===== Best Practice =====
Line 13: Line 15:
  
 [[https://docs.infoblox.com/space/BloxOneThreatDefense/35439943/Security+Policy+Precedence|Precedence]]: If you have a security policy at the top of the policy list (i.e. highest precedence), then if there is a DFP or an active Endpoint in that site or a DoH client, they will get processed by that security policy rather than the security policy they are actually aligned to further down the list of policies. The security logs will still have the information generated by Endpoint/DFP (e.g. private IP, endpoint name, etc). If the client is DoH client then you just get the public IP the traffic is coming from. If you have an Endpoint and go to a site of another company who protect their site with "External Network", you Endpoint traffic will hit your tenant and only be processed by your tenant. The Endpoint/External Network precedence topic only applies if you have both the Endpoint and the External Network in the same tenant. [[https://docs.infoblox.com/space/BloxOneThreatDefense/35439943/Security+Policy+Precedence|Precedence]]: If you have a security policy at the top of the policy list (i.e. highest precedence), then if there is a DFP or an active Endpoint in that site or a DoH client, they will get processed by that security policy rather than the security policy they are actually aligned to further down the list of policies. The security logs will still have the information generated by Endpoint/DFP (e.g. private IP, endpoint name, etc). If the client is DoH client then you just get the public IP the traffic is coming from. If you have an Endpoint and go to a site of another company who protect their site with "External Network", you Endpoint traffic will hit your tenant and only be processed by your tenant. The Endpoint/External Network precedence topic only applies if you have both the Endpoint and the External Network in the same tenant.
 +
 +REMEMBER: ALL RPZ get evaluated BEFORE query is made. IP rules are ignored. IP Rules get evaluated when response is received.
  
 Infoblox Threat Defense will never block *.infoblox.com even if it is explicitly blocked by Security Policy. This is because the domain is trusted and run by Infoblox and is necessary for basic functioning of the service. Infoblox Threat Defense will never block *.infoblox.com even if it is explicitly blocked by Security Policy. This is because the domain is trusted and run by Infoblox and is necessary for basic functioning of the service.
Line 43: Line 47:
 ===== RPZ Sizing ===== ===== RPZ Sizing =====
 As of NIOS 9.0.1 in Dec 2023: ([[https://docs.infoblox.com/space/BloxOneThreatDefense/35434905/Sizing+Guidelines+for+DDI+Appliances|Documentation]]) As of NIOS 9.0.1 in Dec 2023: ([[https://docs.infoblox.com/space/BloxOneThreatDefense/35434905/Sizing+Guidelines+for+DDI+Appliances|Documentation]])
-^ Model ^ RPZ Rule Count ^ Notes ^ +As of NIOS 9.0.7 in Oct 2025 - new column added. Note, running Threat Feeds AND Threat Insight is not supported on TE-1415 and TE-1425. 
-| TE-815 | 1.5 million RPZ entries | Base + Base IP only | +^ Model ^ RPZ Entry Count (NIOS >= 9.0.7) ^ RPZ Rule Count ^ Notes ^ 
-| TE-825 | 2 million RPZ entries | Base + Base IP only | +| TE-815 | 6M (TI not supported) | 1.5Ms | Base + Base IP only | 
-**TE-926**/TE-1415 | 6 million RPZ entries | Base + Base IP only | +| TE-825 | 6M (TI not supported) | 2M | Base + Base IP only | 
-| TE-1425 | 8 million RPZ entries | Base + Base IP only | +| TE-1415 | 12M (TI not supported) | 6M | Base + Base IP only + Informational 
-**TE-1516**/**TE-1526** | 20 million RPZ entries | Base + Base IP + High only | +| TE-1425 | 12M (TI not supported) | 8M | Base + Base IP only + Informational 
-| TE-2215/TE-2225 25 million RPZ entries Base + Base IP + High + Medium only  +| TE-2215/TE-2225 (20M with TI) | 40M | 25M | Everything | 
-| **TE-2326**/**TE-4126**/TE-4015/TE-4025 40 million RPZ entries | Everything |+| TE-4015/TE-4025 (35M with TI) | 60M | 40M | Everything | 
 +**TE-926** | 16M (TI not supported) | 6M | Base + Base IP only | 
 +**TE-1516**/**TE-1526** (15M with TI) 40M 20M | Everything 
 +| **TE-2326**/**TE-4126** (35M with TI) 60M | 40M | Everything |
  
 ===== Suggested Best Practice for Cloud Based Security Policies ===== ===== Suggested Best Practice for Cloud Based Security Policies =====
Line 186: Line 193:
  
 Another nice thing about custom RPZ feeds is that you can pull the data easily to other tool. e.g. dig with correct commands to do a zone transfer. Put that through a small shell script to filter the data into host file format and you can put it on a PiHole. Another nice thing about custom RPZ feeds is that you can pull the data easily to other tool. e.g. dig with correct commands to do a zone transfer. Put that through a small shell script to filter the data into host file format and you can put it on a PiHole.
 +
 +===== IP in Custom List =====
 +You can block (or allow) traffic based on answer IP by using Custom list. This can be done for a single IP by adding x.x.x.x/32. If you don't add /32, it will be added automatically when you save the Custom list. You can also add subnets such as y.y.y.y/24.
 +
  
 ===== RPZ Source ===== ===== RPZ Source =====
Line 317: Line 328:
   * **Block** - Contains entries that should be blocked with confidence given the level of protection needed (e.g. low protection for public wifi and extreme protection for the military)   * **Block** - Contains entries that should be blocked with confidence given the level of protection needed (e.g. low protection for public wifi and extreme protection for the military)
   * **Log** - Goes along with the aligned **Block** list but contains entries that don't have as high a confidence level.   * **Log** - Goes along with the aligned **Block** list but contains entries that don't have as high a confidence level.
 +
 +===== NSDNAME and NSIP =====
 +
 +Disable NSDNAME/NSIP processing to prevent major performance impacts (approx. 45%). This feature can also cause massive outage if a legitimate NS server gets onto your block list.
 +
 +RPZ NSDNAME (Name Server Domain Name)
 +  * Definition: This trigger matches the domain name of the authoritative name server (found in the NS records) during recursive resolution.
 +  * Use Case: If a malicious actor uses ns1.badactor.com to host 5,000 phishing websites, you can create an RPZ rule targeting ns1.badactor.com.rpz-nsdname. Any domain utilizing that name server will be blocked.
 +  * Key Advantage: It catches new malicious domains immediately, even if they aren't listed in a reputation feed yet, as long as they use the same compromised name server. 
 +
 +RPZ NSIP (Name Server IP Address) 
 +  * Definition: This trigger matches the actual IP address (IPv4 or IPv6) in the A/AAAA records of name servers associated with domains (glue records).
 +  * Use Case: If a malicious server changes its name (e.g., from ns1.badactor.com to ns1.sneaky.com) but keeps the same IP address (e.g., 192.0.2.55), NSDNAME might fail, but NSIP will still block it.
 +  * Functionality: It protects against attackers who try to evade NSDNAME filters by changing name server names. 
 +    
 +    
 ===== RPZ BAU Syslog on NIOS ===== ===== RPZ BAU Syslog on NIOS =====
 In NIOS, you get the following syslog on the member doing the RPZ feed In NIOS, you get the following syslog on the member doing the RPZ feed
Line 443: Line 470:
   * Major = 7   * Major = 7
   * Critical = 8   * Critical = 8
 +
 +Official SYSLOG Severity levels
 +  * 0 (Emergency): System unusable, kernel panic.
 +  * 1 (Alert): Action must be taken immediately (e.g., primary ISP loss).
 +  * 2 (Critical): Critical conditions (e.g., failing hardware, primary application failure).
 +  * 3 (Error): Error conditions, non-urgent failures.
 +  * 4 (Warning): Potential errors if no action is taken (e.g., low disk space).
 +  * 5 (Notice): Unusual but not error conditions, ongoing events.
 +  * 6 (Informational): Normal operational messages (e.g., application start/stop).
 +  * 7 (Debug): Detailed information for developers
  
 A note on Mitigation Action A note on Mitigation Action
Line 464: Line 501:
    * rpz: ransomware.rpz.infoblox.local: reload done    * rpz: ransomware.rpz.infoblox.local: reload done
    * zone ransomware.rpz.infoblox.local/IN: sending notifies (serial 1684952096)    * zone ransomware.rpz.infoblox.local/IN: sending notifies (serial 1684952096)
 +
 +==== RPZ Transferring Data ====
 +When a new copy of the RPZ is downloaded (transferred)
 +   * rpz: bogon.rpz.infoblox.local: reload start
 +   * (re)loaded policy zone 'bogon.rpz.infoblox.local', now with 1 qname, 0 nsdname, 16 IP, 0 NSIP, 0 CLIENTIP entries
 +   * rpz: bogon.rpz.infoblox.local: reload done
 +
 +You can force a new download with
 +<code>set dns transfer <zone> [view]</code>
 +<code>set dns transfer public-doh.rpz.infoblox.local zulu</code>
  
infoblox_threat_defense/rpz_feeds.1756074622.txt.gz · Last modified: by bstafford