- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-08-2022 07:40 PM
Hi,
Please advise about this alert on our DNS forwarder
Message: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%.
Reporting: DNSAttack
Node: 172.27.24.22
Time: Wed Jun 8 22:37:08 2022
It ended after some time
Message: DNS attack conditions have ended.
Reporting: DNSAttack
Time: Wed Jun 8 22:37:58 2022
Thanks
Re: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2022 07:31 PM
Can anyone help ?
Re: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2022 11:56 PM - edited 06-27-2023 01:20 PM
Hello There,
That appears to be an alert from NIOS "BOGUS-QUERY ALERTING AND MITIGATION" feature. If you edit your DNS Forwarder Member -> Security -> "BOGUS-QUERY ALERTING AND MITIGATION" -> "Track the percentage of NXDOMAIN responses to recursive queries" has the values that triggered the alert you see there.
All what it means is, during a specific cycle of its check(Either taking the detection interval or the total number of upstream responses into account), the net number of NXDOMAIN responses crossed 91%. Now its hard to tell if it was really an attack or if that was normal. For example :
-> In your environment, during that interval, if an application was generating 100s or 1000s of bogus queries targetting any specific domain(Or multiple domain) as a part of pen testing etc, then you as an administrator expect NXDOMAIN spike during that interval.
-> But if you think that at any interval, there should never be 91% NXDOMAIN responses, then you may need to investigate what were the queries ending up in NXDOMAIN responses, what were the client IPs, if those client machines are infected/compromised etc.
Depending on what you have in your Infoblox configuration(Like DCVM sending queries/responses to a Reporting solution, Queries/Responses logged to syslog eventually pushed to an external server/SIEM etc, Top queried domains report during that interval etc), you may track this down.
Best regards,
Re: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2022 07:28 PM
Thanks.