Community Blog


Top Security Report #7: DNS Top NXDOMAIN – NOERROR

This blog discusses the report #7 in a series of seven top security reports that can help you defend against bad actors.


Please see the part 1 of this series here.



Top Security Report #7: DNS Top NXDOMAIN – NOERROR

Top report #7 is a favorite among network and security admins because it shows the source and patterns of attacks that affect network availability.  A barrage of DNS queries can quickly fill-up the DNS server cache with non-existing domains.  When filled, the network slows down substantially, and legitimate queries don’t get answered as quickly, or at all.  From a network perspective, it’s a very helpful report that quickly indicates that a client is mistyped, misspelled, misconfigured, renamed, changed, expired or removed.  It returns an NXDOMAIN – NOERROR message showing that there are queries still seeking the target domain, quickly alerting you to problems with the domain or client.  From a security perspective, this report identifies when a client is doing something bad on the network.  Using the previous data exfiltration example, the malware uses a domain name generation algorithm, searching among thousands of generated names to find one active attack vector.  This, in turn, generates lots of NXDOMAIN activity, filling-up the cache, much like a DDoS attack, degrading server response and penalizing legitimate traffic.



Service Area

Infrastructure Protection


Lists DNS queries that result in NXDOMAIN or NOERROR (no data) response

Primary User

Network/Security Admins


Identifies queries to renamed or removed servers & finds misconfigurations by showing DNS queries that result in NXDOMAIN & NOERROR (no data) responses

Use Case

A client is infected with malware that uses a domain generation algorithm. This client generates a large amount of NXDOMAIN activity & fills-up the cache reducing DNS server response times to legitimate queries.


Out-of-the-box & requires Advanced Data Protection (ADP)


This is a standard report available through the security dashboard and requires Advanced Data Protection (ADP).  Like virtually all Infoblox reports, filtering is robust, flexible and intuitive making it easy to get the information you need.  You can define monitored timeframes, set how data is displayed (e.g., from visualized bar charts to raw data tables), identify top 10 (or N) domains, filter by member, DNS view and more.  Using the Splunk interface, you can see the raw dataset, and create custom dashboards or reports without starting from scratch.   All of this gives you the quick power to see a troubled or malware-infected domain rather than getting caught long after the damage is done.


security report 1.png


In the next few blogs, we will walk you through the seven (7) security reports that can give you an edge over the bad actors.

Learn more:

  • Join the Infoblox Reporting & Analytics Technical Demo Series to continue the discussion in the free webinar on 7/17, 2018, 9A PDT, 12P EDT, 5P BST. Register
  • As an existing Infoblox DDI customer, you can deploy a virtual Infoblox Reporting & Analytics appliance free of charge — no strings attached. Download and try the Reporting & Analytics Free Tier today.

Showing results for 
Search instead for 
Do you mean