Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

BloxOne DNS DHCP IPAM

Reply

Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%
sudheerkumar
Techie
Posts: 8

‎06-08-2022 07:40 PM

3027     0

Hi,

 

Please advise about this alert on our DNS  forwarder 

 

Message: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%.

Reporting: DNSAttack

Node: 172.27.24.22

Time: Wed Jun  8 22:37:08 2022

 

It ended after some time

 

Message: DNS attack conditions have ended.

Reporting: DNSAttack

 

Time: Wed Jun  8 22:37:58 2022

 

 

Thanks

 

Reply
0 Kudos

Re: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%
sudheerkumar
Techie
Posts: 8

‎06-14-2022 07:31 PM

3027     0

Can anyone help ?

 

Reply
0 Kudos

Re: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%

[ Edited ]
malman
Superuser
Posts: 81

‎07-17-2022 11:56 PM - edited ‎06-27-2023 01:20 PM

3027     0

Hello There,

 

That appears to be an alert from NIOS "BOGUS-QUERY ALERTING AND MITIGATION" feature. If you edit your DNS Forwarder Member -> Security -> "BOGUS-QUERY ALERTING AND MITIGATION" -> "Track the percentage of NXDOMAIN responses to recursive queries" has the values that triggered the alert you see there.

 

All what it means is, during a specific cycle of its check(Either taking the detection interval or the total number of upstream responses into account), the net number of NXDOMAIN responses crossed 91%. Now its hard to tell if it was really an attack or if that was normal. For example :

 

-> In your environment, during that interval, if an application was generating 100s or 1000s of bogus queries targetting any specific domain(Or multiple domain) as a part of pen testing etc, then you as an administrator expect NXDOMAIN spike during that interval. 

 

-> But if you think that at any interval, there should never be 91% NXDOMAIN responses, then you may need to investigate what were the queries ending up in NXDOMAIN responses, what were the client IPs, if those client machines are infected/compromised etc. 

Depending on what you have in your Infoblox configuration(Like DCVM sending queries/responses to a Reporting solution, Queries/Responses logged to syslog eventually pushed to an external server/SIEM etc, Top queried domains report during that interval etc), you may track this down.

 

Best regards,

 

Reply
0 Kudos

Re: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%
sudheerkumar9
Techie
Posts: 7

‎09-25-2022 07:28 PM

3028     0

Thanks.

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements

Infoblox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community