Top Security Report #7: DNS Top NXDOMAIN – NOERROR

BobR

This blog discusses the report #7 in a series of seven top security reports that can help you defend against bad actors.

 

Please see the part 1 of this series here.

 

 

Top Security Report #7: DNS Top NXDOMAIN – NOERROR

Top report #7 is a favorite among network and security admins because it shows the source and patterns of attacks that affect network availability.  A barrage of DNS queries can quickly fill-up the DNS server cache with non-existing domains.  When filled, the network slows down substantially, and legitimate queries don’t get answered as quickly, or at all.  From a network perspective, it’s a very helpful report that quickly indicates that a client is mistyped, misspelled, misconfigured, renamed, changed, expired or removed.  It returns an NXDOMAIN – NOERROR message showing that there are queries still seeking the target domain, quickly alerting you to problems with the domain or client.  From a security perspective, this report identifies when a client is doing something bad on the network.  Using the previous data exfiltration example, the malware uses a domain name generation algorithm, searching among thousands of generated names to find one active attack vector.  This, in turn, generates lots of NXDOMAIN activity, filling-up the cache, much like a DDoS attack, degrading server response and penalizing legitimate traffic.

 

Top Report #7: DNS Top NXDOMAIN - NOERROR
Service Area	Infrastructure Protection
Purpose	Lists DNS queries that result in NXDOMAIN or NOERROR (no data) response
Primary User	Network/Security Admins
Importance	Identifies queries to renamed or removed servers & finds misconfigurations by showing DNS queries that result in NXDOMAIN & NOERROR (no data) responses
Use Case	A client is infected with malware that uses a domain generation algorithm. This client generates a large amount of NXDOMAIN activity & fills-up the cache reducing DNS server response times to legitimate queries.
Available	Out-of-the-box & requires Advanced Data Protection (ADP)

 

This is a standard report available through the security dashboard and requires Advanced Data Protection (ADP).  Like virtually all Infoblox reports, filtering is robust, flexible and intuitive making it easy to get the information you need.  You can define monitored timeframes, set how data is displayed (e.g., from visualized bar charts to raw data tables), identify top 10 (or N) domains, filter by member, DNS view and more.  Using the Splunk interface, you can see the raw dataset, and create custom dashboards or reports without starting from scratch.   All of this gives you the quick power to see a troubled or malware-infected domain rather than getting caught long after the damage is done.

 

 

In the next few blogs, we will walk you through the seven (7) security reports that can give you an edge over the bad actors.

• Top Report #6: Threat Protection - Top Rules by Source
• Top Report #5: Top Malware & DNS Tunneling by Client
• Top Report #4: Tunneling Traffic by Category
• Top Report #3: DNS Top Tunneling Activity
• Top Report #2: Malicious Activity by Client
• Top Report #1: DNS Top RPZ Hits

Learn more:

• Join the Infoblox Reporting & Analytics Technical Demo Series to continue the discussion in the free webinar on 7/17, 2018, 9A PDT, 12P EDT, 5P BST. Register
• As an existing Infoblox DDI customer, you can deploy a virtual Infoblox Reporting & Analytics appliance free of charge — no strings attached. Download and try the Reporting & Analytics Free Tier today.