06-08-2022 07:40 PM
Please advise about this alert on our DNS forwarder
Message: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%.
Time: Wed Jun 8 22:37:08 2022
It ended after some time
Message: DNS attack conditions have ended.
Time: Wed Jun 8 22:37:58 2022
07-17-2022 11:56 PM - edited 06-27-2023 01:20 PM
That appears to be an alert from NIOS "BOGUS-QUERY ALERTING AND MITIGATION" feature. If you edit your DNS Forwarder Member -> Security -> "BOGUS-QUERY ALERTING AND MITIGATION" -> "Track the percentage of NXDOMAIN responses to recursive queries" has the values that triggered the alert you see there.
All what it means is, during a specific cycle of its check(Either taking the detection interval or the total number of upstream responses into account), the net number of NXDOMAIN responses crossed 91%. Now its hard to tell if it was really an attack or if that was normal. For example :
-> In your environment, during that interval, if an application was generating 100s or 1000s of bogus queries targetting any specific domain(Or multiple domain) as a part of pen testing etc, then you as an administrator expect NXDOMAIN spike during that interval.
-> But if you think that at any interval, there should never be 91% NXDOMAIN responses, then you may need to investigate what were the queries ending up in NXDOMAIN responses, what were the client IPs, if those client machines are infected/compromised etc.
Depending on what you have in your Infoblox configuration(Like DCVM sending queries/responses to a Reporting solution, Queries/Responses logged to syslog eventually pushed to an external server/SIEM etc, Top queried domains report during that interval etc), you may track this down.