Hello There,
That appears to be an alert from NIOS "BOGUS-QUERY ALERTING AND MITIGATION" feature. If you edit your DNS Forwarder Member -> Security -> "BOGUS-QUERY ALERTING AND MITIGATION" -> "Track the percentage of NXDOMAIN responses to recursive queries" has the values that triggered the alert you see there.
All what it means is, during a specific cycle of its check(Either taking the detection interval or the total number of upstream responses into account), the net number of NXDOMAIN responses crossed 91%. Now its hard to tell if it was really an attack or if that was normal. For example :
-> In your environment, during that interval, if an application was generating 100s or 1000s of bogus queries targetting any specific domain(Or multiple domain) as a part of pen testing etc, then you as an administrator expect NXDOMAIN spike during that interval.
-> But if you think that at any interval, there should never be 91% NXDOMAIN responses, then you may need to investigate what were the queries ending up in NXDOMAIN responses, what were the client IPs, if those client machines are infected/compromised etc.
Depending on what you have in your Infoblox configuration(Like DCVM sending queries/responses to a Reporting solution, Queries/Responses logged to syslog eventually pushed to an external server/SIEM etc, Top queried domains report during that interval etc), you may track this down.
Best regards,
Mohammed Alman
