https://www.staffordnet.uk/ 2026-04-05T18:31:37+00:00 https://www.staffordnet.uk/ https://www.staffordnet.uk/lib/exe/fetch.php?media=favicon.ico text/html 2025-03-03T15:57:11+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:applications&rev=1741017431&do=diff Infoblox Applications Allow - Local Resolution NIOS-X with DFP and Infoblox Endpoint can honour “Allow - Local Resolution” for Application Custom List on Security Policy. DFP MUST have a fallback resolver configured. This is because the list of applications isn't put into the text/html 2024-12-27T15:12:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:blockpage&rev=1735312345&do=diff BloxOne Block Page Certificate The block page hosted by Infoblox uses this CA cert that the client endpoint needs to have in its trusted Root CA store in order for the page to load correctly. Code <!DOCTYPE html> <html title="infoblox-redirect-page"> <head> <title>Authentication required</title> <link rel="icon" type="image/x-icon" href="/smart-proxy/resources/favicon.ico" sizes="any" /> <link rel="icon" type="image/svg+xml" href="/smart-proxy/resources/favicon.svg" /> <style> a[_ngcon… text/html 2024-12-27T15:12:46+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:cisco_umbrella&rev=1735312366&do=diff Cisco Umbrella From Cisco's page here and here. Cisco Umbrella has a Monthly DNS Query Average - more data. More info in product description With regards to blocked security domains, please note that Cisco Umbrella blocks A, AAAA, ANY, CNAME, PTR, SRV, PRIVATE, SPF/DNS, NULL, SIG, and TXT records, so queries for other record types (MX, SOA, and NS) will be allowed, even though the category is blocked. However, requests for MX records of domains that have been categorized as text/html 2025-03-21T15:15:02+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:custom_lists&rev=1742570102&do=diff Custom Lists You can create 100 custom lists in any given BloxOne tenant. Each list can have 50k entries. A custom list containing just “example.co.uk” also blocks test.ftp.sip.example.co.uk However, cache means that you might need to wait a little while for all queries to get blocked. text/html 2025-11-12T15:28:08+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:dfp&rev=1762961288&do=diff DFP DFP = DNS Forward Proxy On NIOS, you don't have to put a domain into “Internal domains” for NIOS DFP to recognize a record for a forward zone. Just creating the forward zone in NIOS is enough for NIOS to forward as required without bothering the DFP. If you put block lists on the cloud security policy for zones that NIOS forwards to, the security policies won't do anything as they are not consulted by NIOS. text/html 2024-12-27T15:09:02+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:domain_mitigation&rev=1735312142&do=diff Infoblox Domain Mitigation Blog Post Infoblox runs the CISA domain take-down service. Infoblox provide domain monitoring and reporting to track potential threats. They also provide a takedown service. Run by the PS team, you buy a bundle of 100 take downs. You then use as required. The Infoblox team will take care of the rest. They follow up and keep it down for 30 days if required. text/html 2024-12-27T15:09:13+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:dossier&rev=1735312153&do=diff Dossier All Dossier notes have been moved to the TIDE page. Dossier is a front end that can take TIDE data and also include data from other sources such as WHOIS, GeoLocation, etc. Limit of 600 API calls with ~40 requests per search per hour to make it about 30-40 searches per tenant per hour. text/html 2026-02-15T02:36:48+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:endpoints&rev=1771123008&do=diff Infoblox Endpoints Best Practice Official Best Practice Internal Host Detection Endpoint can be configured to detect when it is on the corporate network and thus told to not establish DoT session to Infoblox Cloud because the local DNS server will be applying DNS security. text/html 2024-12-27T15:22:17+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:exfiltration&rev=1735312937&do=diff Malware Examples using DNS * Snugy Malware - 2020 November - Low and Slow DNS Exfiltration and C2. * BellaCiao - 2023 April - Low and Slow DNS Exfiltration and C2. * Medusa - 2023 May - Russian Malware Intel Report Example dig +short 10.181.64.161 1075.63632e747874.1.bz2oc0.txt.start.hexn.ebb569d085.thehansfamily.com dig +short 10.181.64.161 1.49737375696e674e6574776f726b2c436172644e756d6265720d0a.bz2oc0.hexn.ebb569d085.thehansfamily.com dig +short 10.181.64.161 2.4d6173746572436172642c… text/html 2024-12-27T15:09:57+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:external_networks&rev=1735312197&do=diff BloxOne External Networks When you create an external network in BloxOne Threat Defense and set a public IP range, no other customer will be able to use it. The external network must be a CIDR between /24 and /32. For IPv6, enter a CIDR between /0 and /128. text/html 2026-02-25T09:47:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:geolocation&rev=1772012820&do=diff Infoblox Threat Defense Geolocation Geolocation Service providers such as Google, Infoblox, etc, will only forward ECS data to an authoratative DNS server if that domain being queried is in the list of ECS zones. * For Infoblox, this list is mostly services Google, YouTube, SalesForce, Netskope, etc. text/html 2025-09-23T14:29:17+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:internal_domains&rev=1758637757&do=diff Internal Domains Remember, the purpose of “Internal Domains” is for BloxOne Hosts that do not have BloxOne DDI enabled. NIOS already has the ability to be authoritative for domains and to a manually forward internal domains as part of NIOS DNS and so text/html 2024-12-27T15:16:10+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:logging&rev=1735312570&do=diff Infoblox Threat Defense Logging Details on logs from Threat Defense Cloud via the Data Connector is in the NIOS-X Logging section. text/html 2024-12-27T14:57:20+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:lookalikes&rev=1735311440&do=diff Infoblox Lookalike Domain Monitoring After the customer adds a new custom domain to be monitored it will take effect only on newly observed data starting from the next day. The Suspicious lookalikes RPZ feed is filled with the findings of the domains monitored. text/html 2024-12-27T14:57:46+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:monitoring&rev=1735311466&do=diff BloxOne Monitoring Category filter list is here. When searching under Reports > Security Activity, you can use filters category!="Malicious Downloads" category!="Malicious Downloads" and category!="Shareware/Freeware" You can search by end point client IP text/html 2025-04-08T10:01:19+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:palo_alto_networks&rev=1744106479&do=diff Palo Alto Networks DNS Security View all STIG DISA STIG audit rule: The Palo Alto Networks security platform must not enable the DNS proxy. Basically, DISA is staying “Don't put all your eggs in one basket”. The Palo Alto Networks security platform can act as a DNS proxy and send the DNS queries on behalf of the clients. DNS queries that arrive on an interface IP address can be directed to different DNS servers based on full or partial domain names. However, unrelated or unneeded proxy serv… text/html 2025-05-06T07:18:06+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:pop&rev=1746515886&do=diff BloxOne POP List of BloxOne Points of Presence (source list and live status) Hint, if you have BloxOne Threat Defense AND BloxOne DDI, you can enable “Local Resolution” on your security policies. This means that the OPH will resolve the FQDN locally, and thus the nearest POP of the SaaS service you are connecting to. However, the query response is not sent to the client until it has also been passed through the BloxOne Threat Defense cloud for security checks. text/html 2024-12-27T15:13:28+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:redirect&rev=1735312408&do=diff Infoblox Redirects Bing No Copilot To direct www.bing.com to nochat.bing.com <https://learn.microsoft.com/en-us/copilot/manage#require-commercial-data-protection-in>- On NIOS: * You can use an RPZ to redirect www.bing.com to nochat.bing.com * You can create www.bing.com as an authoratative zone and then create an ALIAS A record for the zone that points at nochat.bing.com text/html 2026-03-08T18:43:52+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:rpz_feeds&rev=1772995432&do=diff Infoblox RPZ Threat Feeds Official list of Infoblox Threat Feeds Feed Revamp for NIOS Test data here. Some OpenSource feeds here. ISC Guide to RPZ Deployment. Best Practice Official best practice. Precedence: If you have a security policy at the top of the policy list (i.e. highest precedence), then if there is a DFP or an active Endpoint in that site or a DoH client, they will get processed by that security policy rather than the security policy they are actually aligned to further down… text/html 2024-12-27T15:17:08+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:sandbox&rev=1735312628&do=diff Infoblox Threat Defense Sandbox Details on Infoblox Sandbox for Threat Defense are in the NIOS-X Sandbox section. text/html 2026-01-21T09:41:06+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:security_policy&rev=1768988466&do=diff Security Policy When you have “Local On-Prem Resolution” AND “Block DNS rebinding attacks” enabled on a security policy, then any NIOS-X or NIOS-X-as-a-Service instance that has conditional forwarding to on-prem servers that respond to internal domains with RFC1918 addresses will be blocked. This would also apply if NIOS-X was doing a global forwarder to a text/html 2025-07-02T15:43:32+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:test_domains&rev=1751471012&do=diff Infoblox Test Domains Third Party Malware Domains * <https://urlhaus.abuse.ch/?ref=techblog.nexxwave.eu> * <https://cert.pl/en/warning-list/> * <https://zonefiles.io/compromised-domain-list/> Infoblox Test Domains Domains that can be used for testing RPZ / Feed configuration. Domain Property Threat Level RPZ (Links to CSP page) antimalware.eicar.network MalwareC2_Generic text/html 2026-01-21T09:17:07+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:threat_insight&rev=1768987027&do=diff Threat Insight Page on types of Threat Insight events in cloud here. A nice blog post on Infoblox's TI detection here. In the cloud portal, the Exfiltration custom list will show a description that says why a domain was flagged as exfiltration. This may include text/html 2026-03-31T22:44:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:tide&rev=1774997082&do=diff TIDE TIDE is Threat Intelligence Data Exchange. It is effectively a very large Threat Database that is managed by the Infoblox Threat Intelligence Team. From its database, the Infoblox RPZ feeds are generated. NOTE: When you add indicators via TIDE, be aware that the associated RPZ feed will filter out anything that is in Infoblox's internal Global Allow list (e.g. brave[.]com) text/html 2024-12-27T15:36:59+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:troubleshooting&rev=1735313819&do=diff Infoblox Threat Defense Troubleshooting DIG The thing to know about BloxOne Threat Defense is that you can use DIG to get data on what is being resolved using dig @52.119.41.100 <DOMAIN_YOU_WANT_DATA_ON>.debug.infoblox.com ch txt DOMAIN=google.com dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep CAT dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep APP text/html 2026-01-21T09:18:13+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=infoblox_threat_defense:url_filtering&rev=1768987093&do=diff Threat Defense URL Filtering When Infoblox filters a DNS name, it returns one of the following IP addresses 52.4.105.248 3.215.231.251 35.168.95.233 When you go to this IP, you will see the Infoblox block page. ByPasscodes will redirect users to