We're implementing DNS filtering with Pi-hole for all agent traffic, which is working well. Our current allowlist is locked down.
The problem is when a new agent version or feature needs to communicate with a new external domain for updates or telemetry. This seems to happen quarterly.
What's the operational best practice here? Letting the update fail and then manually adding the domain after a ticket feels reactive and creates a compliance gap (agents out of date). Pre-emptively allowing broad update domains seems to defeat the point.
Is there a common pattern for staging or canary-ing these new domain requests? Or a way to get ahead of the vendor's changes? We're particularly concerned about this under SOC 2 and HIPAA, as an update failure could lead to a vulnerability we can't patch.