Using a large destination-domain blacklist

cancel
Showing results for 
Search instead for 
Did you mean: 

Using a large destination-domain blacklist

Not applicable

Hello,

I am considering the use of a domain name blacklist published by the DNS-BH project in a custom URL category that will block access to any of the included domains.  However, the list is over 12K entries long, which obviously doubles when I add an additional wildcard entry for each.  So, i have a few questions. 

First, does it make sense to try to achieve my goal of blocking http to known malware sites using this method?  Is there a max URL category list limit what this would exceed, or will there be a performance hit related to comparing URL domain against a 24K list that makes this option unrealistic (on PA-200 up to PA-5020)?  Can an update of the custom URL category list be automated via the CLI from a text file?

Also, If I wanted to block access to these domains for more than just http traffic, what other options do i have?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

L6 Presenter

If your purpose is to block malware sites, the best way would be to do it by blocking the category "malware-sites" and use the dynamic URL filtering. The firewall will determine the URL is a malware website are not by doing search on the cloud database (brightcloud.com). The cloud database gets updated frequently with all kinds of URL's. You can visit brightcloud.com and test a few URL's that are present in the dns-bh list.

View solution in original post

2 REPLIES 2

L6 Presenter

If your purpose is to block malware sites, the best way would be to do it by blocking the category "malware-sites" and use the dynamic URL filtering. The firewall will determine the URL is a malware website are not by doing search on the cloud database (brightcloud.com). The cloud database gets updated frequently with all kinds of URL's. You can visit brightcloud.com and test a few URL's that are present in the dns-bh list.

View solution in original post

L1 Bithead

I hear ya man, there should be a DNS domain blacklist (dynamic list like Dynamic Block Lists). DNS blocking is really the only way you can do it. Object FQDN lookups won't work and don't scale. They have to constantly refresh the data at regular intervals, but malware domains can have slow TTLs, lower than the firewall and will skirt through.

URL filtering only filters web traffic and the traffic may not be web based. There are a lot of domains I would like to block at the IP level in the event the traffic is ssh, icmp tunneling, etc.Still trying to figure that one out.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!