What you can learn from an NXDOMAIN response

BY Ben Ball

The sad document.  The cloud thought bubble.  The illustrated slug (armadillo?) confusedly reading a map. 

If you’re seeing any of these in your web browser, you’ve probably hit an NXDOMAIN error.

NXDOMAIN is the internet’s blunt way of saying “the answer to your question doesn’t exist”.  Technically speaking, it’s saying that the domain name referenced in the Domain Name System (DNS) query does not exist at all. NXDOMAIN is an answer that only an authoritative server can return.

If the domain name exists, the upstream servers will return the positive response NOERROR along with the answer or answers to the DNS query. It is possible to receive a NOERROR response without any specific answers. This happens if the domain exists, but not the record type requested. For instance, if an AAAA (IPv6) record type was requested but there is only an A record (IPv4) available for the given name, you would receive a NOERROR (the domain exists) but no answers (as there are no AAAA records for the name).

Leveraging an NXDOMAIN response

For the average internet user, NXDOMAINs are usually the result of a typo in the web address, or perhaps an attempt to access a website that no longer exists.  They are a mere inconvenience.

For network and security administrators, NXDOMAIN replies can be far more interesting.  Persistent NXDOMAIN messages can actually be an early indicator of network issues or security gaps.  With the right DNS security tools in place, these failed responses can become a goldmine of valuable data.  (Some unscrupulous ISPs even use a form of DNS hijacking to turn an NXDOMAIN into a business opportunity!)

If you want to mine these DNS error responses to uncover security and network performance issues, you’re going to need comprehensive data from DNS logs in a readily searchable format. 

This is a tall order for enterprises operating with decentralized network infrastructure like Microsoft DNS and BIND.  In these situations, DNS logs will need to be manually collected from individual DNS servers – a time-consuming process.  It’s much easier when you have a unified DNS service operating across the enterprise, funneling all that data into a single location.  Needless to say, the service points of BlueCat’s Adaptive DNS solution provide all of your DNS data in one place.

What does NXDOMAIN mean?

Once you have the right DNS response data at your fingertips, you can search for patterns and find more details about the root cause of failed DNS requests.  Here’s what some of those NXDOMAIN responses might be telling you.

Beaconing:  When malware tries to “phone home” to command and control systems to receive instructions, it doesn’t always know the latest domain to look for. There are many known cases of malware using domain generation algorithms (DGAs) to avoid being blocked. DGAs generate and register new domains on the internet and the malware, using a similar algorithm, will try a series of domains to find the one that provides an answer. Often times, the installed malware beacons on a somewhat consistent schedule. Persistent and periodic NXDOMAIN responses from suspicious top level domains and known malicious sites can be a clue that a device is infected.  There are several statistical methods that can be used in order to score the likelihood that the domain was generated algorithmically. 

Reconnaissance and Lateral Movement:  Advanced persistent threats often sit in the background of a network, biding their time as they search for valuable information and ways to exfiltrate data to the outside.  That mapping process often involves a considerable amount of trial and error.  Persistent NXDOMAIN responses from your local DNS service which all originate from a single client could be an indicator of this type of internal beaconing. Networks can be reversed engineered by using PTR queries, and interesting hostnames can be mined.

Zone sync issues:  DNS zones are often replicated across many servers to reduce latency and increase reliability. If these zones fall out of sync, some users will get the correct response and others will receive an NXDOMAIN for the same destination, depending on which authority handles the DNS resolution path.  These cases are very difficult to debug without visibility into internal, “east-west” network traffic – network admins need the ability to trace specific pathways between clients, networks, and servers.

NXDOMAIN as a signal

Certain normal processes utilize the existence of a DNS resource record as an indicator to do or not do something.  The presence or lack of an answer is used to indicate how the client will behave, and may include information (such as the address of the content cache) in the answer. 

WPAD:  Web proxy auto-discovery (WPAD) is a special purpose domain which allows clients to discover addresses, with the goal of obtaining the location of configuration files for web proxies.  Usually clients will attempt to find this record for every DNS search domain configured.  In corporate environments, this often results in millions of NXDOMAIN responses. 

ISATAP:  Microsoft’s Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) generates a link-local IPv6 address from an IPv4 address, and performs neighbor discovery on top of IPv4. It uses a special domain name that should only have an answer if ISATAP is configured. This process often generates piles of NXDOMAIN responses.  That can look like a problem at first, but in this case it’s a completed query which actually points to something interesting.

DNS over HTTPS:  Mozilla has announced a canary domain (use-application-dns.net) which acts as a signal to Firefox not to use DNS over HTTPS (DOH). Network administrators can configure their DNS to NXDOMAIN this record in order to turn DoH off.

Maintaining situational awareness

In general, the patterns of NXDOMAIN responses are going to be the most interesting to threat hunters and security personnel.  When any consistently queried domain name abruptly starts to return NXDOMAIN responses, that’s often the earliest indication that something is amiss.

Mining the patterns of NXDOMAIN responses are just one example of the value that a unified DNS management and DNS security system can deliver.  Uncovering malware inside your network, lowering bandwidth costs, and eliminating performance issues are just some of the ways that paying attention to your DNS data can pay almost immediate dividends.

Learn more about BlueCat’s DNS security solutions and our unique way of collecting DNS data through service points.

Ben Ball

Ben Ball is the Director of Strategy and Content Marketing at BlueCat. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball