Reply

DNS malicious traffic bypassing RPZ feed

Posts: 3
3576     0

I am getting the following report from my ISP showing that i have some DNS malicious (Virus category) between infoblox and one of my server

: DNS: Suspicious DNS Lookup NOERROR Response (DGA - Simda.C)

DGA: is a botnet that generates a lot of NXDomains and Simda C is a trojan/Win 32

I have a concern , first why this kind of malicious traffic bypassed my Infoblox DNS firewall (RPZ)

How can we stop this kind of malicious DNS traffic

Re: DNS malicious traffic bypassing RPZ feed

spenumaka Community Manager
Community Manager
Posts: 60
3577     0

Hi,

Please open up a ticket on this so that our support so that we can look at your specific context.

 

https://support.infoblox.com/app/ask

 

Regards,

--------------------------------------
Check out our new Tech docs website for latest documentation on Infoblox products.

Re: DNS malicious traffic bypassing RPZ feed

Posts: 3
3577     0

Hi Spenumaka,

 

It seemed that my customer has only the standard Active Trust solution, which contains the four basic feed, I thaught that one of these 4 feed is antimalware.rpz.infoblox.local will be able to stop the DGA traffic, but thanks to infoblox support they showed me that there are more feeds/features within Active Trust Plus/Advanced which mitigate against the DGA - one dedicated feed named malware-dga.rpz.infoblox.local can protect my customer, so i will try to position the AT plus or advanced.

 

 

Re: DNS malicious traffic bypassing RPZ feed

spenumaka Community Manager
Community Manager
Posts: 60
3577     0

Awesome. Great to hear the update.

-Srinivas

--------------------------------------
Check out our new Tech docs website for latest documentation on Infoblox products.

Re: DNS malicious traffic bypassing RPZ feed

skumarsamy
Techie
Posts: 4
3577     0

Great recommendation. ActiveTrust Plus provides 7 additional RPZ threat feeds compared to AT Standard .

Showing results for 
Search instead for 
Do you mean 

Recommended for You