Are you interested in our Early Access Program (EAP)? This program allows you to preview code, test in your lab and provide feedback prior to General Availability (GA) release of all Infoblox products. If so, please click the link here.

BloxOne DNS DHCP IPAM

Reply

Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%

Techie
Posts: 8
423     0

Hi,

 

Please advise about this alert on our DNS  forwarder 

 

Message: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%.

Reporting: DNSAttack

Node: 172.27.24.22

Time: Wed Jun  8 22:37:08 2022

 

It ended after some time

 

Message: DNS attack conditions have ended.

Reporting: DNSAttack

 

Time: Wed Jun  8 22:37:58 2022

 

 

Thanks

 

Re: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%

Techie
Posts: 8
424     0

Can anyone help ?

 

Re: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%

Superuser
Posts: 71
424     0

Hello There,

 

That appears to be an alert from NIOS "BOGUS-QUERY ALERTING AND MITIGATION" feature. If you edit your DNS Forwarder Member -> Security -> "BOGUS-QUERY ALERTING AND MITIGATION" -> "Track the percentage of NXDOMAIN responses to recursive queries" has the values that triggered the alert you see there.

 

All what it means is, during a specific cycle of its check(Either taking the detection interval or the total number of upstream responses into account), the net number of NXDOMAIN responses crossed 91%. Now its hard to tell if it was really an attack or if that was normal. For example :

 

-> In your environment, during that interval, if an application was generating 100s or 1000s of bogus queries targetting any specific domain(Or multiple domain) as a part of pen testing etc, then you as an administrator expect NXDOMAIN spike during that interval. 

 

-> But if you think that at any interval, there should never be 91% NXDOMAIN responses, then you may need to investigate what were the queries ending up in NXDOMAIN responses, what were the client IPs, if those client machines are infected/compromised etc. 

Depending on what you have in your Infoblox configuration(Like DCVM sending queries/responses to a Reporting solution, Queries/Responses logged to syslog eventually pushed to an external server/SIEM etc, Top queried domains report during that interval etc), you may track this down.

 

Best regards,

Mohammed Alman

Re: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%

Techie
Posts: 3
424     0

Thanks.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You