[DNSfirewalls] NODs, NRDs and the magic risk window (Palo Alto Unit 42 study)
m3047
m3047 at m3047.net
Sun Aug 25 18:41:32 UTC 2019
Palo Alto Networks' Unit 42 released a blog post where they conclude that
the optimum period of time to block Newly Registered Domains using URL
Filtering is 32 days:
https://unit42.paloaltonetworks.com/newly-registered-domains-malicious-abuse-by-bad-actors/
https://www.theregister.co.uk/2019/08/21/palo_alto_domain_blocking/
There are so many flavors of NODs and NRDs anymore, who can keep track!
They're all based on the premise that the risk which arises from blocking
something based on an attribute is less than the risk of not blocking it.
Personally I would put my gut feeling at between a day and a week.
1) Are people who are blocking for longer periods of time using additional
features to temper impacts: whitelists, local passive DNS oracles,
etc.?
2) Is the key limitation in longer time frames (still) that longer ==
larger (technical limitiation on zone size) or is it that people are
seeing unwanted side effects?
Thanks in advance...
--
Fred Morris
More information about the DNSfirewalls
mailing list