Within UltraDDR, one of the 4 detection engines is the Lists Engine. This engine empowers you to create lists based on FQDN, domain, IP address, or CIDR network block, granting you control over what is allowed or denied. You have the flexibility to manually manage lists through the UltraDDR Web UI or API, or import lists from URLs with customizable refresh frequencies. This simple yet powerful feature expands UltraDDR’s capabilities, seamlessly integrating with other tools and processes.
Flexible management with the Lists Engine.
The Lists Engine give you a significant amount of flexibility which enables you to accomplish multiple tasks with ease:
- Integrate with Security Operations Center (SOC) tools by creating your own block and allow lists using incident IoCs.
- Enable the Help Desk to allow specific domains that have been previously blocked.
- Expand UltraDDR’s blocking capability to include additional categories such as advertising and sites that track users and compromise privacy.
- Incorporate other Cyber Threat Intelligence IOC lists.
- Permit specific providers by their IP address or network block in CIDR format.
- Add your company’s network blocks and domains to the allowlist.
- Build your own blocklist for URL shorteners or QR-code redirectors.
- Automate blocking of newly registered domains that are like your own domains and can be used for phishing attacks.
- Block internal-only Top-Level Domains (.local, .internal, .corp, etc.) that leak out to the Internet.
- Block RFC-1918 CIDR blocks (10.0.0.0/8, 192.168.0.0/16) in query answers.
The list import allows several formats:
- Flat file with one FQDN, domain, IP address, or CIDR network block per line.
- Hosts file with one IP address and host per line, delineated by spaces or tabs.
UltraDDR’s Lists Engine.
UltraDDR excels at detecting and blocking malware, as well as blocking various site categories. However, it is currently limited to a pre-defined set of categories. UltraDDR’s Lists Engine enables IT teams to implement additional policy blocking for new categories such as advertising and user tracking sites.
Firebog offers various lists, including “Advertising Lists” and “Tracking & Telemetry Lists”. It’s important to read the list descriptions at the top of the page as some lists may have a higher false-positive rate or have been deprecated. Keep this in mind before accepting a list.
It’s worth noting that UltraDDR with all 4 detection engines is more effective at detecting and blocking malware than Firebog’s “Malicious” lists. Therefore, it’s not recommended to add these to the Lists Engine.
To block advertising sites, one of the commonly used lists by home users is the Easy List, available at https://v.firebog.net/hosts/Easylist.txt. It has one FQDN or domain per line with some comments at the top of the file.
To import a Firebog list (or any other list via URL), follow these steps in the Lists Engine’s FQDNs tab:
- Click the plus (+) sign to create a new list.
- Select the “URL” radio button.
- Give the list a descriptive name.
- Paste the URL for the list that you want to import into the URL block.
- Choose the update frequency based on the list’s regularity. For the Easy List, we recommend daily updates.
- Optionally: provide a description for the list.
- Click “Import” and review the dialog box to see which data items will be imported, exist already, or ignored.
- Click “OK” to proceed.
- It may take several minutes for the newly imported list to appear in the Lists Engine.
- After the newly imported list is deployed to the UltraDDR servers, the system will start blocking based on the list.
- This approach ensures that both FQDNs and domains are checked, maintaining optimal speed and performance in the UltraDDR system.
- Inside of the UltraDDR logs, you can view what is being blocked by adding a new filter for “Reason: Block List”.
The import dialog set to import via URL.
The second import dialog shows what will be added.
The imported list with populated entries.
Filtering logs to only show activity from the block list.
The filtered logs.
And inside the domain detailed view, you can see which list the domain was blocked on.
Enhance your cyber security with UltraDDR Lists Engine.
Creating, importing, and managing lists with the List Engine is easy to do manually. However, when you combine this capability with importing lists via URL, it greatly enhances compatibility with other resources available to administrators. Start optimizing your Protective DNS and protect your IT assets today with the UltraDDR List Engine!