We are interested in enabling some public feeds, (sk132193) for dynamic blocking of malicious IP and Domains.
My question is, we have had a few hiccups with FQDN rules in the past and have found we should only use FQDN objects in very specific rules (otherwise our box dies from too many dns lookups). So I am wondering what happens if we use a feed such as http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt does the firewall do an immediate lookup of the domains and block the IP's, or does it work in the same way as an FQDN object and do a reverse dns lookup of every packet that passes?
Also is there any issue with using multiple feeds at the same time?
keen to hear from someone who has enabled this feature!