This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Using a large destination-domain blacklist

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Using a large destination-domain blacklist

Go to solution
schaleg
Not applicable

‎08-29-2012 06:14 PM

Hello,

I am considering the use of a domain name blacklist published by the DNS-BH project in a custom URL category that will block access to any of the included domains.  However, the list is over 12K entries long, which obviously doubles when I add an additional wildcard entry for each.  So, i have a few questions. 

First, does it make sense to try to achieve my goal of blocking http to known malware sites using this method?  Is there a max URL category list limit what this would exceed, or will there be a performance hit related to comparing URL domain against a 24K list that makes this option unrealistic (on PA-200 up to PA-5020)?  Can an update of the custom URL category list be automated via the CLI from a text file?

Also, If I wanted to block access to these domains for more than just http traffic, what other options do i have?

Thanks

Labels:
1 accepted solution

Accepted Solutions

Go to solution
sdurga
L6 Presenter

‎08-30-2012 01:03 AM

If your purpose is to block malware sites, the best way would be to do it by blocking the category "malware-sites" and use the dynamic URL filtering. The firewall will determine the URL is a malware website are not by doing search on the cloud database (brightcloud.com). The cloud database gets updated frequently with all kinds of URL's. You can visit brightcloud.com and test a few URL's that are present in the dns-bh list.

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
sdurga
L6 Presenter

‎08-30-2012 01:03 AM

If your purpose is to block malware sites, the best way would be to do it by blocking the category "malware-sites" and use the dynamic URL filtering. The firewall will determine the URL is a malware website are not by doing search on the cloud database (brightcloud.com). The cloud database gets updated frequently with all kinds of URL's. You can visit brightcloud.com and test a few URL's that are present in the dns-bh list.

0 Likes Likes

Go to solution
rbergen
L1 Bithead

‎12-05-2014 01:00 PM

I hear ya man, there should be a DNS domain blacklist (dynamic list like Dynamic Block Lists). DNS blocking is really the only way you can do it. Object FQDN lookups won't work and don't scale. They have to constantly refresh the data at regular intervals, but malware domains can have slow TTLs, lower than the firewall and will skirt through.

URL filtering only filters web traffic and the traffic may not be web based. There are a lot of domains I would like to block at the IP level in the event the traffic is ssh, icmp tunneling, etc.Still trying to figure that one out.

0 Likes Likes
  • 1 accepted solution
  • 2128 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks