topic Re: Firepower DNS Policy - Would like a known bad name to use as a check its working in Network Security

Firepower DNS Policy - Would like a known bad name to use as a check its working

evan.chadwick1 — Fri, 21 Feb 2020 15:26:27 GMT

Hi,

I'd love to some known bad names that should trigger a blacklist event for DNS policy within Security Intelligence.

Can anyone provide this? I just need a couple for testing post roll out.

(i know i can source some on the internet reports, but would like some Cisco provided ones.

Re: Firepower DNS Policy - Would like a known bad name to use as a check its working

argrullo — Mon, 26 Feb 2018 13:02:01 GMT

Hello Evan,

To you can try some of the following sites from the DNS Malware object.

bollyrulez.tv
static.tvlive32.com
www.desirulez.net
provalist.info
xn--80acvhc3abphaf7h.xn--p1ai
iqoption.ink
redirect.libertex.tech
thumbsnap.com
ressandy-actorsion.com
cowledges.com
acaraapa.com
referencebrain.com

Re: Firepower DNS Policy - Would like a known bad name to use as a check its working

evan.chadwick1 — Mon, 26 Feb 2018 14:05:26 GMT

Thanks.

just saw this post as I ended up using, which at the time of posting triggers a dns policy block

(got it from http://mirror1.malwaredomains.com/files/domains.txt)

acasadibarbara.it.

Re: Firepower DNS Policy - Would like a known bad name to use as a check its working

evan.chadwick1 — Mon, 26 Feb 2018 15:09:00 GMT

for teh record i tried a couple from your post and they did't trigger my dns policy.

this site was 100% with 3 tests of different names.

https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

Re: Firepower DNS Policy - Would like a known bad name to use as a check its working

argrullo — Mon, 26 Feb 2018 16:00:10 GMT

Which ones did not work for you?

Re: Firepower DNS Policy - Would like a known bad name to use as a check its working

evan.chadwick1 — Tue, 27 Feb 2018 01:08:21 GMT

Hi,

it was 2am, so I have to recall, i think i tried these two

bollyrulez.tv
static.tvlive32.com

I had all blacklist options selected in my Dns policy.

I tried 2 from the link i posted and both worked.

It would be great if Cisco created a couple of names that were just for testing certain categories, ie

ciscofakemalwarename.com

ciscofakephishingname.com

etc

Re: Firepower DNS Policy - Would like a known bad name to use as a check its working

argrullo — Tue, 27 Feb 2018 14:11:48 GMT

Hello Evan,

I tried the ones you mentioned and they worked on my environment. Please see the attached files for screenshots.

I know it can be frustrating when something does not seem to work. Realistically the DNS names you are seeing, are part of a Security Intelligence feed.

You are able to create your own DNS list and put any DNS request in it, then add that object to the DNS Policy.

You can go to Objects > Security Intelligence > DNS Lists and Feeds > Add DNS Lists and Feeds.

Here you can upload a file with dns request you would like to block.

Then add that newly created object to your DNS Policy.

Re: Firepower DNS Policy - Would like a known bad name to use as a check its working

evan.chadwick1 — Tue, 27 Feb 2018 20:30:39 GMT

Thanks for persisting.

I'll try the names again, as it was late, and confirm if they get caught or not.

I have uploaded my own list, and I suppose this is a good idea to confirm if things are working, the ultimate would be if I knew it was from a dynamic Cisco feed, i'll get back to you.

Evan