Threats

SOLVED
WernerS
Comes here often

Threats

Good day

 

i see indicator-compromise threats (suspicious .pw dns query and suspicious .top dns query) under security center.

 

is this something i should be worried about?

 

how to i respond to these threats?

 

thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Warren
Getting noticed

Re: Threats

Top Level Domains - the part after a . in the url.  

Like

.com

.net

.info

.org

.pw

.top

 

you can block EVERYTHING in that Top Level Domain by blocking *.pw or *.top 

Then if by chance there is someone that has a business need to access a website that ends in those, you just add that to the allow list.  

View solution in original post

7 REPLIES 7
Warren
Getting noticed

Re: Threats

I would block those tld's in your DNS filter or the Meraki Content Filter

Content Filtering - Cisco Meraki

WernerS
Comes here often

Re: Threats

Hi Warren

 

Thanks for your response.

 

sorry, what are the tld's?

Warren
Getting noticed

Re: Threats

Top Level Domains - the part after a . in the url.  

Like

.com

.net

.info

.org

.pw

.top

 

you can block EVERYTHING in that Top Level Domain by blocking *.pw or *.top 

Then if by chance there is someone that has a business need to access a website that ends in those, you just add that to the allow list.  

View solution in original post

WernerS
Comes here often

Re: Threats

Thank you Warren - Appreciated.

 

Just curious as to what threats those are?  Are they attacks which are blocked by the MX?

Warren
Getting noticed

Re: Threats

If I am blocking an entire TLD it is typically after seeing IOC's from a phishing campaign or seeing something similar in the environment.  For example if I know our company doesn't need any websites that are .xyz I would block *.xyz proactively.  I don't know if the Meraki MX would have blocked some things, I block them anyway.  I have a block first approach instead of an allow first approach.  

 

So if I see a phishing campaign using a lot of .bbb domains I will just block *.bbb instead of just the ones the bad actor is using.  Sure if eventually a user has a customer that uses .bbb and we need to allow it, then we allow that one.  This does add some detective work when a site won't load.

MI-Tech
Conversationalist

Re: Threats

So what if they are to opendns or google?

Coulter-WHF
New here

Re: Threats

I'm having the same issue with opendns and google. I can't block the .com tld.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.