What Is NXDOMAIN Attack And How To Deal With It

The DNS (Domain Name System) server serves a basic purpose – converting a domain name into an IP address and vice versa. Have you ever wondered what will happen if the DNS server receives a fake address? Well, in that case the server won’t be able to find any associated IP with the address given and hence will display an error indicating non existing domain name.

NXDOMAIN is the situation where the DNS is unable to resolve a domain name due to its non-existence. NXDOMAIN attack arises from the attacker’s endeavor to flood the DNS server with false queries to resolve a non-existent domain name. The DNS server looks for the domain that doesn’t really exist, and hence never finds it. While the server attempts to find the false domains sent to it, the cache gets choked up with NXDOMAIN results and hence slows down the response of the legitimate requests.

Most often the DNS server administrators confuse these with performance issues when actually they happen to be NXDOMAIN attacks on their servers. There exists another form of NXDOMAIN attack called NXRRSET.

Malpractices for Minting Money Using DNS Hijacking And NXDOMAIN:
There have been recent cases where the Internet Service Providers (ISPs) started a malpractice of DNS hijacking on non-existent domain name with the intentions of minting money through internet advertisements. Instead of displaying an error what actually happens is the ISPs DNS servers send a fake IP address each time they encounter a NXDOMAIN request. This redirects the browser to a fake IP address server which has advertisements instead of the proper error message for the user. This is a bad practice as it puts the personal data of their users at risk too.

Dealing with NXDOMAIN Attack:
If you want to shield yourself from NXDOMAIN attacks, make sure you have External as well as Internal DNS security. The external DNS security shields the external internet facing server and the internal DNS software security shields the internal recursive servers from NXDOMAIN attacks, malware, data exfiltration, et cetera. These two together account for the safety of your Dynamic Host Configuration Protocol (DHCP) infrastructure. Internal and External DNS security have some characteristics to deal with NXDOMAIN attacks such as:
1. They filter the unusual behaving domains or servers along with the application rate limiting regarding the traffic that reaches the overloaded servers. This causes a DNS request failure message being returned to the clients due to SRVFAIL. This is known as Automatic Blackholing.
2. They keep an eye on the behavior of a client. If any client generates very high rate NXDOMAIN or SRVFAIL responses in a flash, they block the client’s IP address for a limited period of time.
3. An attack doesn’t mean that the valid cache entries get pushed out due to NXDOMAIN responses. The cache entries remain intact making sure that the needed cache refresh continues as to provide service as expected.
4. If a Distributed Denial Of Service (DDoS) attack is repetitively being experienced, DNS queries can be prevented from maxing out by adjusting the time-out duration for the recursive name lookup accordingly to make the resources in the DNS resolver prevent the contemporaneous number of outstanding DNS queries.