Documentation here.

Add *.prod.zpath.net to Threat Insight allow list. (zScaler)

During an HA failover, analytics data that is in progress on the active node might be lost. Only new DNS queries on the new active node after a successful failover are being analyzed. It may take a few minutes for the analytics to reach its normal state. If there is no connection between the Grid Master and Grid member, blacklisted domains detected by the analytics cannot be transferred to the Grid Master as RPZ records for a pre-configured RPZ zone — this is not applicable to standalone appliances with RPZ license installed. In addition, ensure that the passive node must also have the RPZ license installed and that its hardware model is capable of running the threat analytics service. For information about supported appliance models, see Supported Appliances for Infoblox Threat Insight below.

After you enable the threat analytics service, you must restart DNS service for the analytics to start working.

To monitor the threat analytics service before actually blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block offending domains, set Policy Override to None (Given).

When running Threat Insight and/or ADP on the Grid, to download the latest module updates and whitelist updates or ADP updates , the Grid Master needs to resolve and access https://ts.infoblox.com on tcp-443. You may need to configure the proxy settings in the Grid and you may need to disable TLS inspection on the proxy.

Threat Insight requires “TE-1415” or higher. Using unsupported appliance models (e.g. TE-825) for Infoblox Threat Insight might cause performance issues.

For Threat Insight, only the Grid Master receives module and whitelist set updates. Grid member receives these updates through standard Grid replication from the Grid Master. Module and whitelist data is only replicated to Grid members that have the threat analytics service enabled (an RPZ license is required to start this service on the members). The appliance uses the port 443 (HTTPS) for downloading the module set and whitelist data updates.

Note: The scheduled time does not indicate the exact time for the download. Downloads occur during the mid-point during a 30-minute time frame. Therefore, the actual download can happen 15 minutes before or after the scheduled time.

You can only update to a newer whitelist set even though you can switch back to an older version of module set, if any. However, if you have configured an Automatic update policy, the appliance overwrites the older file version with the new one. To avoid this, you can change the update policy to Manual or disable automatic downloads.

You can block the highest domain level only if you have installed the Threat Analytics license on the Grid member.

To use Configure Domain Level to block Tunneling option, ensure you update the moduleset to the latest version after a NIOS upgrade. The minimum version of the active moduleset must be equal or later than 20190410.

For importing data from the BloxOne Cloud Threat Insight RPZ feed, whenever a new RPZ is added and NIOS requests Threat Insight results, Grid Manager displays a Warning dialog box to confirm that you wish to request all detected domains by Threat Insight in BloxOne Threat Defense Cloud. If you click No in the Warning dialog box, you can use the set cloud_services_portal_force_refresh CLI command in maintenance mode and set the flag to request all domains detected in BloxOne Threat Defense Cloud.

The documentation says that Threat Insight supports BIND only - not Unbound. This is because there was a version of the 40xx series that had an unbound option created for a specific use case. It was removed from the code in NIOS 9.0.0

Log when adding to zone.

ns1.example.corp ... ThreatInsightAnalytics[12593]: The CNAME record '*.amazonaws.com' is successfully added into BlackList RPZ zone(s) with comment '[2001-02-03 11:22:33 UTC] [member: ns-grid-member.example.corp] DNS Tunneling' and policy 'No Such Domain'.

Logs when detecting tunneling. (comes before the log above which is when the result is added to RZZ.

ns1.example.corp ... analytics: DNS Tunneling detected: Domain name *.amazonaws.com has been detected with tunneling activity. The analytics classification was triggered by 4 queries from client IP: 10.1.1.1 to domain amazonaws.com. The likelihood of the detection is 0.9529750921571396. Trigger 1 of 4 : {"timestamp":"2001-02-11T10:27:18","qName":"wire-frontsys-test-123b4565iz07fi73.elb.eu-west-1.amazonaws.com","qType":"A","rData":"","ttl":60,"delay":5}

ns1.example.corp ... analytics: DNS Tunneling detected: Domain name *.amazonaws.com has been detected with tunneling activity. The analytics classification was triggered by 4 queries from client IP: 10.1.1.1 to domain amazonaws.com. The likelihood of the detection is 0.9529750921571396. Trigger 2 of 4 : {"timestamp":"2001-02-03T10:27:17","qName":"k8s-gov-apiuslb-d496fb99ip-i123e9636yhb9iqs.elb.eu-west-1.amazonaws.com","qType":"A","rData":"","ttl":60,"delay":4}

ns1.example.corp ... analytics: DNS Tunneling detected: Domain name *.amazonaws.com has been detected with tunneling activity. The analytics classification was triggered by 4 queries from client IP: 10.1.1.1 to domain amazonaws.com. The likelihood of the detection is 0.9529750921571396. Trigger 3 of 4 : {"timestamp":"2001-02-03T11:22:33","qName":"public-ingress-lb-gb-test-123f5e0631673821.elb.eu-central-1.amazonaws.com","qType":"A","rData":"","ttl":60,"delay":5}

ns1.example.corp ... analytics: DNS Tunneling detected: Domain name *.amazonaws.com has been detected with tunneling activity. The analytics classification was triggered by 4 queries from client IP: 10.1.1.1 to domain amazonaws.com. The likelihood of the detection is 0.9529750921571396. Trigger 4 of 4 : {"timestamp":"2001-02-031T10:27:05","qName":"k8s-cn-sockjs-435785677p9-9e123c588200ab0f.elb.eu-west-1.amazonaws.com","qType":"A","rData":"","ttl":60,"delay":4}

Could be triggered by

sys-fnt-test-123b4565iz07fi73.elb.eu-west-1.amazonaws.com
public-ingress-lb-gb-test-123f5e0631673821.elb.eu-central-1.amazonaws.com
k8s-gov-apiuslb-d496fb99ip-i123e9636yhb9iqs.elb.eu-west-1.amazonaws.com
k8s-cn-sockjs-435785677p9-9e123c588200ab0f.elb.eu-west-1.amazonaws.com

In the cloud, high profile TLD in FQDN won't block detection. Nameservers are taken into consideration now.