Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

BloxOne DNS DHCP IPAM

Reply

Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%

Techie
Posts: 8
2722     0

Hi,

 

Please advise about this alert on our DNS  forwarder 

 

Message: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%.

Reporting: DNSAttack

Node: 172.27.24.22

Time: Wed Jun  8 22:37:08 2022

 

It ended after some time

 

Message: DNS attack conditions have ended.

Reporting: DNSAttack

 

Time: Wed Jun  8 22:37:58 2022

 

 

Thanks

 

Re: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%

Techie
Posts: 8
2723     0

Can anyone help ?

 

Re: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%

[ Edited ]
Superuser
Posts: 81
2723     0

Hello There,

 

That appears to be an alert from NIOS "BOGUS-QUERY ALERTING AND MITIGATION" feature. If you edit your DNS Forwarder Member -> Security -> "BOGUS-QUERY ALERTING AND MITIGATION" -> "Track the percentage of NXDOMAIN responses to recursive queries" has the values that triggered the alert you see there.

 

All what it means is, during a specific cycle of its check(Either taking the detection interval or the total number of upstream responses into account), the net number of NXDOMAIN responses crossed 91%. Now its hard to tell if it was really an attack or if that was normal. For example :

 

-> In your environment, during that interval, if an application was generating 100s or 1000s of bogus queries targetting any specific domain(Or multiple domain) as a part of pen testing etc, then you as an administrator expect NXDOMAIN spike during that interval. 

 

-> But if you think that at any interval, there should never be 91% NXDOMAIN responses, then you may need to investigate what were the queries ending up in NXDOMAIN responses, what were the client IPs, if those client machines are infected/compromised etc. 

Depending on what you have in your Infoblox configuration(Like DCVM sending queries/responses to a Reporting solution, Queries/Responses logged to syslog eventually pushed to an external server/SIEM etc, Top queried domains report during that interval etc), you may track this down.

 

Best regards,

 

Re: Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 91%

Techie
Posts: 7
2723     0

Thanks.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You