Meraki

Community

Threats

Solved
WernerS
Comes here often
‎Jul 20 2021 3:08 AM
‎Jul 20 2021 3:08 AM

Threats

Good day

 

i see indicator-compromise threats (suspicious .pw dns query and suspicious .top dns query) under security center.

 

is this something i should be worried about?

 

how to i respond to these threats?

 

thank you

0 Kudos
1 Accepted Solution
In response to WernerS
Warren
Getting noticed
‎Jul 20 2021 9:57 AM
‎Jul 20 2021 9:57 AM

Top Level Domains - the part after a . in the url.  

Like

.com

.net

.info

.org

.pw

.top

 

you can block EVERYTHING in that Top Level Domain by blocking *.pw or *.top 

Then if by chance there is someone that has a business need to access a website that ends in those, you just add that to the allow list.  

View solution in original post

7 Replies 7
Warren
Getting noticed
‎Jul 20 2021 5:16 AM
‎Jul 20 2021 5:16 AM

I would block those tld's in your DNS filter or the Meraki Content Filter

Content Filtering - Cisco Meraki

0 Kudos
In response to Warren
WernerS
Comes here often
‎Jul 20 2021 9:53 AM
‎Jul 20 2021 9:53 AM

Hi Warren

 

Thanks for your response.

 

sorry, what are the tld's?

0 Kudos
In response to WernerS
Warren
Getting noticed
‎Jul 20 2021 9:57 AM
‎Jul 20 2021 9:57 AM

Top Level Domains - the part after a . in the url.  

Like

.com

.net

.info

.org

.pw

.top

 

you can block EVERYTHING in that Top Level Domain by blocking *.pw or *.top 

Then if by chance there is someone that has a business need to access a website that ends in those, you just add that to the allow list.  

In response to Warren
WernerS
Comes here often
‎Jul 20 2021 10:00 AM
‎Jul 20 2021 10:00 AM

Thank you Warren - Appreciated.

 

Just curious as to what threats those are?  Are they attacks which are blocked by the MX?

0 Kudos
In response to WernerS
Warren
Getting noticed
‎Jul 20 2021 10:52 AM
‎Jul 20 2021 10:52 AM

If I am blocking an entire TLD it is typically after seeing IOC's from a phishing campaign or seeing something similar in the environment.  For example if I know our company doesn't need any websites that are .xyz I would block *.xyz proactively.  I don't know if the Meraki MX would have blocked some things, I block them anyway.  I have a block first approach instead of an allow first approach.  

 

So if I see a phishing campaign using a lot of .bbb domains I will just block *.bbb instead of just the ones the bad actor is using.  Sure if eventually a user has a customer that uses .bbb and we need to allow it, then we allow that one.  This does add some detective work when a site won't load.

0 Kudos
In response to Warren
MI-Tech
Conversationalist
‎Jul 20 2021 3:37 PM
‎Jul 20 2021 3:37 PM

So what if they are to opendns or google?

0 Kudos
In response to MI-Tech
Coulter-WHF
Just browsing
‎Jul 30 2021 11:50 AM
‎Jul 30 2021 11:50 AM

I'm having the same issue with opendns and google. I can't block the .com tld.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.