Search

Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • When you enable Infoblox DNS Firewall , DNS performance for all queries, recursive or authoritative, will be affected.
  • For performance reasons, Infoblox recommends that you maintain a reasonable number of zones.
  • Do not enable RPZ on multiple layers, such as on DNS client facing servers and forwarders.
  • If you have multiple DNS servers in a Grid, ensure that you configure RPZs on the recursive server that is closest to your DNS clients. If you configure RPZs on second level DNS caching servers, you will not be able to identify the DNS clients because only the IP addresses of the forwarding name servers can be identified.
  • Infoblox recommends that you preview your RPZ rules to ensure ruleset integrity and to avoid unexpected results. You can preview your rules by selecting Log Only (Disabled) when you configure Policy Override for an RPZ, RPZ feed, or FireEye integrated RPZ. For information about how to configure this, see Configuring Local RPZs and About FireEye Integrated RPZs.
  • The appliance logs all matching and disabled rules for all queries in the syslog. You can view the syslog to ensure that the rules are set up correctly before they take effect. Ensure that you enable rpz in the Logging Category of Grid DNS Properties editor to log these events. For information about how to set logging categories, see Setting DNS Logging Categories.
  • You can use the standard TSIG mechanism to ensure that feed zones come from the correct servers. Grid members can function either as a primary or secondary servers for the RPZ. As with hosting any zone as a secondary, please ensure that the appliance is sized properly to hold the zone contents in memory.
  • You can only export or import the RPZ local zones using the CSV export or import feature, but you cannot import or export FireEye zones using this feature.
  • Note that the NIOS blacklist and NXDOMAIN features take precedence over RPZs.
  • In order to leverage DNS notify messages to trigger zone transfer of the feed zone, port 53 of the lead secondary must be open to receive such messages. If not, the zone will refresh based on the refresh setting in the SOA.
  • The name of the zone, which is assigned to an RPZ member, must not exceed 241 characters. When the name exceeds this limit, respective zone fails to load.
  • For RPZs that contain IP addresses, RPZ query name recursion continues to take place irrespective of other settings (such as the Enable RPZ query name recursion (qname-wait-recurse) check box). Recursion takes place for the first RPZ that contains the IP rules. Because of this, if data exfiltration through DNS is to be blocked, then RPZs associated with disrupting the blockage must be placed before RPZs containing the IP rules. That is, RPZs that use IP rules must be placed last in the RPZ order.

Anchor
Best Practices For FireEye Integrated RP
Best Practices For FireEye Integrated RP
Anchor
bookmark3266
bookmark3266
Best Practices For FireEye Integrated RPZs

...