[DNSfirewalls] NODs, NRDs and the magic risk window (Palo Alto Unit 42 study)

m3047 m3047 at m3047.net
Sun Aug 25 18:41:32 UTC 2019

Palo Alto Networks' Unit 42 released a blog post where they conclude that 
the optimum period of time to block Newly Registered Domains using URL 
Filtering is 32 days:



There are so many flavors of NODs and NRDs anymore, who can keep track! 
They're all based on the premise that the risk which arises from blocking 
something based on an attribute is less than the risk of not blocking it.

Personally I would put my gut feeling at between a day and a week.

1) Are people who are blocking for longer periods of time using additional
    features to temper impacts: whitelists, local passive DNS oracles,

2) Is the key limitation in longer time frames (still) that longer ==
    larger (technical limitiation on zone size) or is it that people are
    seeing unwanted side effects?

Thanks in advance...


Fred Morris

More information about the DNSfirewalls mailing list