{"id":2411,"date":"2015-10-01T22:01:19","date_gmt":"2015-10-01T22:01:19","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=2411"},"modified":"2020-06-02T08:24:33","modified_gmt":"2020-06-02T15:24:33","slug":"understanding-nxdomain-attack-methods","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/company\/understanding-nxdomain-attack-methods\/","title":{"rendered":"Understanding NXDOMAIN Attack Methods"},"content":{"rendered":"
\"\"
Computer crime concept<\/figcaption><\/figure>\n

Distributed denial of service (DDoS) attacks exploiting the Domain Name System (DNS) are constantly evolving and NXDOMAIN attacks are no exception. A few years ago, we would see simple methods where attackers would send a flood of queries to a DNS server to resolve a non-existent domain name. They would repeatedly send the fake request again and again, hoping to slow down the DNS server\u2019s response time for legitimate requests. With newer technology and improvements in caching, these methods are often failing to cause the damage attackers hope for. So attackers are changing tactics.<\/p>\n

\"\"<\/p>\n

Infoblox is now seeing many more sophisticated NXDOMAIN attacks using phantom domains and name servers that are set up as part of the attack. They also prepend randomly generated subdomain strings to DNS requests, which again means they are purposefully sending requests for subdomains that don\u2019t exist. The volume and type of attack might vary slightly based on what the attacker\u2019s intended target is \u2013 which can be either the recursive DNS server or the authoritative server of a target domain.<\/p>\n

When the target is the recursive server, the goal is to consume available resources of the server and pollute the cache with NXDOMAIN results. When the target is the authoritative server of another legitimate domain, it causes DDoS and can impact performance, especially for servers that have inadequate memory resources or have to query the disk to look up these non-existent domain names.<\/p>\n

There are ways to mitigate these complex NXDOMAIN attack methods and allow for continuous DNS service, even under attack. These include:<\/p>\n