Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3876
Views
0
Helpful
3
Replies

Why does Cisco Umbrella not block (SOA, NS, MX) queries/records?

FelipeMoreira86623
Level 1
Level 1

‎07-14-2021 12:04 PM

Hello Everbody,

 

During my use of Umbrella, which I use to study the traffic of my customers, I was faced with the following information, Cisco does not block (NS, SOA, MX) records/queries, even thought the algorithm considering the domains as 100%(Score) malicious, I just received the following answer.

 

"

It is a decision that our development and engineering teams made on how to best protect clients and still allow functionality while maximizing security. If you would like, I can submit a feature request for them to consider adding the ability to block those types of records if you would like?

"

 

So they went on ahead and opened this "Feature Request", but I didn't received anything in which I could follow up, I believe they put it on the roadmap, but I can't guarantee, since they close the ticket right way after I saying yes to the opening of the "Feature Request". So in the end, whow know if it is true?

 

So I keep wandering, why not to block everthing related to a malicious domain? Even thought considered 100% malicious, they still have access to the supposed "Infected Machines" which still consult this domains throught (NS, MX, SOA).

 

Follow some exemples of phishing sites that still is permited inside the infrastructure:

 

gmaol.com

ggmail.com

gmai.com

gmial.com

outlook.om

gmial.com

 

I have more than hundreds observed in this same situation.

 

Best Regards

0 Helpful
3 Replies 3

Nicole3219
Level 1
Level 1

‎08-06-2021 02:51 AM

It seems that I have similar query, did you get the solution for this?

 

 

onevanilla
0 Helpful

Esha Goyal
Cisco Employee
Cisco Employee

‎02-10-2022 12:04 PM

Hello,

 

Please reach out to Cisco Umbrella Team with your case/ticket number for the status of the feature request. However I can confirm that Cisco Umbrella blocks A, AAAA, ANY, CNAME, PTR, SRV, PRIVATE, SPF/DNS, NULL, SIG, and TXT records, so queries for other record types (MX, SOA, and NS) will be allowed, even though the category is blocked.  However, requests for MX records of domains that have been categorized as "DNS Tunneling VPN" will be refused.

 

And if required please reach out to cisco Talos for the domain review and explain to them the record issue of those domains. For this you can submit a ticket in Talos portal here: https://talosintelligence.com/reputation_center/support#reputation_center_support_ticket

0 Helpful

Senessobling
Level 1
Level 1

‎05-23-2024 11:03 PM - edited ‎05-24-2024 10:04 PM

Cisco Umbrella primarily focuses on blocking malicious or unwanted domain names rather than specific DNS record types like SOA, NS, or MX records. Blocking these record types could potentially interfere with legitimate DNS operations and may not align with the primary functionality of DNS security solutions. Cisco Umbrella evaluates the reputation of domain names to determine whether they are malicious or safe based on threat intelligence and machine learning algorithms. AFC Urgent Care While Cisco Umbrella may offer some configurability, blocking specific DNS record types is not a common use case. Organizations should complement Cisco Umbrella with other security measures to ensure comprehensive protection against DNS-related threats.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card