cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
650
Views
4
Helpful
9
Replies

FTD Security Intelligence Custom Feed Query

NGJ
Level 1
Level 1

Hi, I have inherited a system consisting of FTDs managed by an FMC.

I have a query regarding the custom Network and DNS lists within Security Intelligence, as my understanding seems to differ from what was inherited.

To block IPs the instructions given were to add to an existing txt file (Say Network_Block & DNS_Block) and upload the Network_Block to our Network custom list & the DNS_Block to our DNS custom list.  Both lists contain only IPs, and they are the exact same IPs.  Additionally, any subnets that are required to be blocked, just to add to the Network list.  There are  approx 4000 IPs in each list

The custom DNS list is attached to the DNS profile correctly.

I have verified when an IP is blocked, it is because it matched the Network_block list.  I tested adding an IP to just the DNS list, and this wasn't blocked.  In fact, our logs show any DNS block is because it matched a Cisco Talos feed, and I can't see a single event against our custom DNS list over past few weeks logs.

So, as per my understanding, the DNS list is used only for domain names?

Is there any reason why IPs would, or should be added to the DNS list?  From what I can see is there is no impact if IPs are there.

Any feedback with this query would be appreciated.

Many thanks

9 Replies 9

DNS list Domain

IP block list only IP

The DNS must work fine if there is no cache in client' if there is then DNS list can not drop traffic to this IP and hence you need IP to IP (network) list.

Screenshot (92).png

MHM

Hi, thanks for the reply.  

If the DNS list can also contain IP addresses - I assume there is no point adding them if I already have them in the Network list? as they are going to be blocked there anyway?

You are correct we can use domain no IP nor URL in DNS list. 
so only network list work here not DNS list

MHM

OOO.PNG

the client ask the DNS about the IP of URL <- here we use DNS policy which come first in flow traffic 
then the client use this IP to connect <- we can use network to block access to that IP (IP resolve by DNS)
MHM 

I miss reading your reply even so I share doc. mention the DNS inspect domain only 
sorry 
have a nice weekend 
MHM

tvotna
Spotlight
Spotlight

Of course, DNS block list blocks by domain name and not by IP. What @MHM Cisco World is saying below is not correct.

 

Is there any reason why IPs would, or should be added to the DNS list?  From what I can see is there is no impact if IPs are there.<<- Can you  more elaborate this point please, maybe it key factor here 
thanks 
MHM

NGJ
Level 1
Level 1

Thanks all.  So IPs are not required in DNS list. Thats just for domain names.  IPs just need to be added in network list.  Thanks for confirming

Let me more check this point.

When add DNS and depoly and FMC accpet list (contain IP) here we need to stop and check this point.

Update you soon 

Thanks 

MHM

Review Cisco Networking for a $25 gift card