Page tree


Starting with NIOS 7.3.200, Infoblox introduces the Infoblox Threat Intelligence Feed, a threat feed subscription for RPZ updates that offer protection against malicious hostnames. Contact your Infoblox representative for pricing and availability information.
When you upgrade from a previous NIOS release to NIOS 7.3.200 and later releases, the Infoblox RPZ feeds you configured in the previous NIOS release are migrated to the upgraded release. For information about the old RPZ feeds, refer to the NIOS 7.3.4 and earlier NIOS Administrator Guides.
You can configure the Threat Intelligence Feed and receive reputation RPZ updates on a regular basis. An RPZ feed receives response policies from the Infoblox in-house threat intelligence team, which produces reputation RPZ data and transfers the data to Grid name servers through zone transfers with or without a TSIG key. To ensure proper authentication and integrity of the RPZ feed zone transfers, using a TSIG key is recommended.


TSIG Key is used for authentication when downloading information about threat protection feeds. If you have a complex configuration, such as using standalone appliances or Grids that receive threat protection feeds from other standalone appliances or Grids and not directly from the Infoblox distribution servers, ensure that you use the same TSIG key for the RPZ feed zone transfers.

Note that the RPZ feed must have an external primary name server before you can configure it. To propagate RPZs as quickly as possible, the secondary DNS server needs an address to which the RPZ source feed can send NOTIFY messages. For example, if the secondary DNS server is configured behind a NAT, you may want to establish a one-to-one NAT for the lead secondary DNS server so it can receive NOTIFY messages from the RPZ source feed. Otherwise, the lead secondary DNS server will need to periodically poll the RPZ source feed, which could take longer than expected.


To enter IDNs (Internationalized Domain Name) in an RPZ feed, you can use the punycode representation of the IDN.

To configure the Threat Intelligence Feed:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab, and then click the Add icon.
  2. When you click the Add icon, either the Add Response Policy Zone Wizard or the Add DNS View wizard is displayed based on the following:
    • When you click the Add icon, the Add Response Policy Zone Wizard is displayed, if you have not created additional DNS views and only have the default view.
    • If you have configured multiple DNS views, you must drill-down to the corresponding DNS_View to assign an RPZ feed. Click the Add icon and the Add Response Policy Zone Wizard is displayed. To create a new DNS view for your RPZ feed, click the Add icon and complete the details in the Add DNS View wizard. For information, see Configuration Example: Configuring a DNS View. For information on modifying an existing view, see Modifying DNS Views.
  3. In the Add Response Policy Zone Wizard, select Add Response Policy Zone Feed, click Next and specify the following:
    • Name: Enter the name of the Infoblox RPZ feed. It can be a combination of alphanumeric characters. You can enter up to 256 characters. For more information, see Infoblox Threat Intelligence Feeds.
    • DNS View: The name of the view that you have selected is displayed by default. You can select a view from the drop-down list to associate it with the RPZ feed.
    • Policy Override: Select a value from the drop-down list. You can override the policy actions that are specified in the rule level.
      • Log Only (Disabled) – Select this if you want to disable an RPZ rewrite using rules in the RPZ zone. If the response to the recursive query matches any RPZ rule, the rule is logged, but the response will not be altered. You cannot overwrite the response to the user. Note that this option will not override RPZ rules in other RPZ zones, if they take precedence.


        When you select the Log Only option, the RPZ related reports are not updated even though the information is logged to the syslog.

      • None (Given) – Select this if you want to use the policy from the rule level.
      • Block (No Data) – Select this if you want the user to receive a response that indicates that there is no data.
      • Block (No Such Domain) – Select this if you want the user to receive a NXDOMAIN as the DNS response. All the policy actions in an RPZ are replaced with a NXDOMAIN block.
      • Passthru – Select this if you want the user to see the actual response without modification. All the policy actions in an RPZ are replaced with the passthru action.
      • Substitute (Domain Name) – Select this if you want to replace all the policy actions in an RPZ with the substitution action that is specified.
        • Domain Name: This appears only when you select Substitute (Domain Name) from the Policy Override list. Enter the domain name that you want the client to receive instead of the actual domain name, which is malicious or unauthorized.
    • Severity: Select the threat severity level for the RPZ zone. The threat severity you select here determines the severity for the RPZ rule. Select Critical, Major, Warning, or Informational. The default threat severity level is Major. Note that each of these levels is represented by a number in the syslog (8 being Critical and 4 being Informational). When you upgrade to NIOS 7.0.0, the appliance automatically updates the threat severity level to Informational (displayed as 4 in the syslog) for existing RPZ zones. For information about RPZ syslog messages and severity levels, Viewing RPZ in the Syslog.
    • Comment: Optionally, enter additional information about the Infoblox RPZ feed.
    • Disable: Select the checkbox to disable the RPZ feed without deleting its configuration. Clear the checkbox to enable the RPZ feed. For information, see Enabling and Disabling Zones.  Note that disabling an RPZ feed may take a longer time to complete depending on the size of the data.
    • Lock: Select the checkbox to lock the RPZ feed so that you can make changes to it and prevent others from making conflicting changes. For information, see Locking and Unlocking RPZs.

4. Click Next to associate the RPZ feed with at least one external primary name server and a secondary name server:

    • Define name servers for the RPZ feed. An RPZ feed must have at least one RPZ source as an external primary name server and at least one Grid secondary name server. For external primary servers, specify the following:
      • Name: Enter the zone name of the primary name server.
      • Address: Enter the name server IP address provided by Infoblox for the RPZ feed.
      • Use TSIG: Select the checkbox to specify TSIG settings.
      • Key Name: Enter the TSIG Key Name provided by Infoblox.
      • Key Algorithm: Select hmac-md5.
      • Key Data: Enter the TSIG string provided by Infoblox.
        Note that either the Grid name server or the DNS view must be recursive for the RPZ feed. You can associate a lead secondary with an RPZ feed. For information on specifying primary and secondary, see Assigning Zone Authority to Name Servers. When you select All Recursive Name Servers from the list, all the recursive name servers in the Grid are added as secondary servers for the zone. For information about all recursive name servers, see Configuring RPZs for All Recursive Servers. For information on specifying name server groups, see Using Name Server Groups.

5. Save the configuration and click Next to define extensible attributes. Click Restart if it appears at the top of the screen. For information, see Managing Extensible Attributes.

Infoblox Threat Intelligence Feeds

Infoblox RPZ feeds are categorized into pure malicious feeds and combination feeds. All the feeds listed below are set to return NXDOMAIN for items in the feed. Threat data changes are pushed every 20 minutes from the DNS servers and significant changes are typically made every two hours.
The following tables list the Infoblox Threat Intelligence feeds:

Table 42.1 Pure Malicious Feeds



Base (base.rpz.infoblox.local)

Enables protection against known hostnames that are dangerous as destinations, such as APT, Bot, Compromised Host/Domains, Exploit Kits, Malicious Name Servers, and Sinkholes along with bogon IP addresses.

AntiMalware (antimalware.rpz.infoblox.local)

Enables protection against known malicious threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.

Ransomware (ransomware.rpz.infoblox.local)

Enables protection against ransomeware that restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system and display messages intended to coax the user into paying. Examples include Locky, CryptoLocker, Dircrypt, and CryptoWall.

Bogon (bogon.rpz.infoblox.local)

Enables protection against bogons, which are commonly found as the source addresses of DDoS attacks. A bogon is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Regional Internet Registry (RIR). The areas of unallocated address space are called bogon space. Many ISPs and end-user firewalls filter and block bogons, because they have no legitimate use, and usually are the result of accidental or malicious misconfiguration.


Enables protection against known malicious or compromised IP addresses. These are known to host threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.

Bot_IP (bot-ip.rpz.infoblox.local)

Enables protection against self-propagating malware designed to infect a host and connect back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or "botnet." With a botnet, attackers can launch broad-based,
"remote-control," flood-type attacks against their target(s). Bots can also log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam, and open back doors on the infected host.


Enables protection against distributable packs that contains malicious programs that are used to execute "drive-by download" attacks in order to infect users with malware. These exploit kits target vulnerabilities in the users' machines (usually due to unpatched versions of Java, Adobe Reader, Adobe Flash, Internet Explorer, …) to load malware onto the victim's computer.


Domain generation algorithm (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. Examples include Ramnit, Conficker, and Banjori.


Tor Exit Nodes are the gateways where encrypted Tor traffic hits the Internet. This means an exit node can be used to monitor Tor traffic (after it leaves the onion network). It is in the design of the Tor network that locating the source of that traffic through the network should be difficult to determine

(multi-domain.surbl.rpz.infoblox.loc al)

Blacklist of Malicious Domains including up-to-date intel on active malware, phishing, botnet, and spam domains. Based on data provided by our partner SURBL.

(fresh-domain.surbl.rpz.infoblox.loca l)

Newly Observed Domains. SURBL Fresh feed provides critical, accurate, information on the time new domains are placed into service. Security policy can be easily applied (block, quarantine, walled garden, etc.) to prevent resolution of new domains, based on the user's defined policies. Based on data provided by our partner SURBL.