Distributed denial of service (DDoS) attacks exploiting the Domain Name System (DNS) are constantly evolving and NXDOMAIN attacks are no exception. A few years ago, we would see simple methods where attackers would send a flood of queries to a DNS server to resolve a non-existent domain name. They would repeatedly send the fake request again and again, hoping to slow down the DNS server’s response time for legitimate requests. With newer technology and improvements in caching, these methods are often failing to cause the damage attackers hope for. So attackers are changing tactics.
Infoblox is now seeing many more sophisticated NXDOMAIN attacks using phantom domains and name servers that are set up as part of the attack. They also prepend randomly generated subdomain strings to DNS requests, which again means they are purposefully sending requests for subdomains that don’t exist. The volume and type of attack might vary slightly based on what the attacker’s intended target is – which can be either the recursive DNS server or the authoritative server of a target domain.
When the target is the recursive server, the goal is to consume available resources of the server and pollute the cache with NXDOMAIN results. When the target is the authoritative server of another legitimate domain, it causes DDoS and can impact performance, especially for servers that have inadequate memory resources or have to query the disk to look up these non-existent domain names.
There are ways to mitigate these complex NXDOMAIN attack methods and allow for continuous DNS service, even under attack. These include:
- Intelligently preventing NXDOMAIN responses from pushing out valid cache entries (cache pollution).
- Identifying misbehaving domains/servers in real-time.
- Looking at behavior of clients that generate too many NXDOMAIN, NXRRset, or SRVFAIL responses.
To learn more about the attack methods and the new ways Infoblox can protect against NXDOMAIN attacks, read the new Infoblox Solution Note here.
