cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2033
Views
0
Helpful
2
Replies

Why does Cisco Umbrella not block (SOA, NS, MX) queries/records?

Hello Everbody,

 

During my use of Umbrella, which I use to study the traffic of my customers, I was faced with the following information, Cisco does not block (NS, SOA, MX) records/queries, even thought the algorithm considering the domains as 100%(Score) malicious, I just received the following answer.

 

"

It is a decision that our development and engineering teams made on how to best protect clients and still allow functionality while maximizing security. If you would like, I can submit a feature request for them to consider adding the ability to block those types of records if you would like?

"

 

So they went on ahead and opened this "Feature Request", but I didn't received anything in which I could follow up, I believe they put it on the roadmap, but I can't guarantee, since they close the ticket right way after I saying yes to the opening of the "Feature Request". So in the end, whow know if it is true?

 

So I keep wandering, why not to block everthing related to a malicious domain? Even thought considered 100% malicious, they still have access to the supposed "Infected Machines" which still consult this domains throught (NS, MX, SOA).

 

Follow some exemples of phishing sites that still is permited inside the infrastructure:

 

gmaol.com

ggmail.com

gmai.com

gmial.com

outlook.om

gmial.com

 

I have more than hundreds observed in this same situation.

 

Best Regards

2 Replies 2

Nicole3219
Level 1
Level 1

It seems that I have similar query, did you get the solution for this?

 

 

Esha Goyal
Cisco Employee
Cisco Employee

Hello,

 

Please reach out to Cisco Umbrella Team with your case/ticket number for the status of the feature request. However I can confirm that Cisco Umbrella blocks A, AAAA, ANY, CNAME, PTR, SRV, PRIVATE, SPF/DNS, NULL, SIG, and TXT records, so queries for other record types (MX, SOA, and NS) will be allowed, even though the category is blocked.  However, requests for MX records of domains that have been categorized as "DNS Tunneling VPN" will be refused.

 

And if required please reach out to cisco Talos for the domain review and explain to them the record issue of those domains. For this you can submit a ticket in Talos portal here: https://talosintelligence.com/reputation_center/support#reputation_center_support_ticket

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: