Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
4
Helpful
9
Replies

FTD Security Intelligence Custom Feed Query

NGJ
Level 1
Level 1

‎01-19-2024 04:40 AM

Hi, I have inherited a system consisting of FTDs managed by an FMC.

I have a query regarding the custom Network and DNS lists within Security Intelligence, as my understanding seems to differ from what was inherited.

To block IPs the instructions given were to add to an existing txt file (Say Network_Block & DNS_Block) and upload the Network_Block to our Network custom list & the DNS_Block to our DNS custom list.  Both lists contain only IPs, and they are the exact same IPs.  Additionally, any subnets that are required to be blocked, just to add to the Network list.  There are  approx 4000 IPs in each list

The custom DNS list is attached to the DNS profile correctly.

I have verified when an IP is blocked, it is because it matched the Network_block list.  I tested adding an IP to just the DNS list, and this wasn't blocked.  In fact, our logs show any DNS block is because it matched a Cisco Talos feed, and I can't see a single event against our custom DNS list over past few weeks logs.

So, as per my understanding, the DNS list is used only for domain names?

Is there any reason why IPs would, or should be added to the DNS list?  From what I can see is there is no impact if IPs are there.

Any feedback with this query would be appreciated.

Many thanks

0 Helpful
9 Replies 9

MHM Cisco World
VIP
VIP

‎01-19-2024 05:02 AM - edited ‎01-19-2024 07:43 AM

DNS list Domain

IP block list only IP

The DNS must work fine if there is no cache in client' if there is then DNS list can not drop traffic to this IP and hence you need IP to IP (network) list.

Screenshot (92).png

MHM

0 Helpful

NGJ
Level 1
Level 1
In response to MHM Cisco World

‎01-19-2024 06:31 AM

Hi, thanks for the reply.  

If the DNS list can also contain IP addresses - I assume there is no point adding them if I already have them in the Network list? as they are going to be blocked there anyway?

MHM Cisco World
VIP
VIP
In response to NGJ

‎01-19-2024 06:42 AM - edited ‎01-19-2024 07:44 AM

You are correct we can use domain no IP nor URL in DNS list. 
so only network list work here not DNS list

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎01-19-2024 07:37 AM

OOO.PNG

the client ask the DNS about the IP of URL <- here we use DNS policy which come first in flow traffic 
then the client use this IP to connect <- we can use network to block access to that IP (IP resolve by DNS)
MHM 

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎01-19-2024 07:57 AM

I miss reading your reply even so I share doc. mention the DNS inspect domain only 
sorry 
have a nice weekend 
MHM

0 Helpful

tvotna
Spotlight
Spotlight

‎01-19-2024 07:16 AM

Of course, DNS block list blocks by domain name and not by IP. What @MHM Cisco World is saying below is not correct.

 

MHM Cisco World
VIP
VIP

‎01-19-2024 08:00 AM

Is there any reason why IPs would, or should be added to the DNS list?  From what I can see is there is no impact if IPs are there.<<- Can you  more elaborate this point please, maybe it key factor here 
thanks 
MHM

0 Helpful

NGJ
Level 1
Level 1

‎01-19-2024 09:05 AM

Thanks all.  So IPs are not required in DNS list. Thats just for domain names.  IPs just need to be added in network list.  Thanks for confirming

MHM Cisco World
VIP
VIP
In response to NGJ

‎01-19-2024 09:09 AM

Let me more check this point.

When add DNS and depoly and FMC accpet list (contain IP) here we need to stop and check this point.

Update you soon 

Thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card