Differences

This shows you the differences between two versions of the page.

--- infoblox_threat_defense:rpz_feeds [2026/01/08 01:36] – [Reporting Server Log] bstafford
+++ infoblox_threat_defense:rpz_feeds [2026/03/08 18:43] (current) – [NSDNAME and NSIP] bstafford
@@ Line 328: / Line 328: @@
   * **Block** - Contains entries that should be blocked with confidence given the level of protection needed (e.g. low protection for public wifi and extreme protection for the military)
   * **Log** - Goes along with the aligned **Block** list but contains entries that don't have as high a confidence level.
+===== NSDNAME and NSIP =====
+Disable NSDNAME/NSIP processing to prevent major performance impacts (approx. 45%). This feature can also cause massive outage if a legitimate NS server gets onto your block list.
+RPZ NSDNAME (Name Server Domain Name)
+  * Definition: This trigger matches the domain name of the authoritative name server (found in the NS records) during recursive resolution.
+  * Use Case: If a malicious actor uses ns1.badactor.com to host 5,000 phishing websites, you can create an RPZ rule targeting ns1.badactor.com.rpz-nsdname. Any domain utilizing that name server will be blocked.
+  * Key Advantage: It catches new malicious domains immediately, even if they aren't listed in a reputation feed yet, as long as they use the same compromised name server.
+RPZ NSIP (Name Server IP Address)
+  * Definition: This trigger matches the actual IP address (IPv4 or IPv6) in the A/AAAA records of name servers associated with domains (glue records).
+  * Use Case: If a malicious server changes its name (e.g., from ns1.badactor.com to ns1.sneaky.com) but keeps the same IP address (e.g., 192.0.2.55), NSDNAME might fail, but NSIP will still block it.
+  * Functionality: It protects against attackers who try to evade NSDNAME filters by changing name server names.
 ===== RPZ BAU Syslog on NIOS =====
 In NIOS, you get the following syslog on the member doing the RPZ feed