What is a DNS NXDOMAIN Flood Attack?
In a DNS NXDOMAIN flood attack, the attacker overwhelms the Domain Name System (DNS) server with a large volume of requests for records that are non-existent or invalid. These state exhaustion DDoS attacks will in most cases be handled by a DNS Proxy server, which will then use up most, if not all, of its resources querying the DNS Authoritative server with these records. This will, in most cases, result in both the DNS Proxy server and the DNS Authoritative server using up all their time handling those bad requests, slowing response for legitimate requests and eventually, stopping responses all together. This is precisely what happened when DYN, a major DNS provider in USA, was attacked in October 2016.
What Are the Signs of a DNS NXDOMAIN Flood Attack?
When a DNS Proxy server is under a DNS NXDOMAIN Flood attack, it will constantly send the invalid requests to the respective DNS Authoritative server. As these requests are invalid, the Authoritative server will respond with a NXDOMAIN error response which will be passed back to the client. As the volume of invalid requests increases, the Authoritative server will quickly slow down, resulting in legitimate requests not getting a response. The legitimate clients will then retry the requests, resulting in the load increasing even further on both the Proxy server and the Authoritative server.
The signs of such a DDoS attack are very high CPU load on the DNS servers and a very high rate of NXDOMAIN replies being generated.
Why is a DNS NXDOMAIN Flood Attack Dangerous?
A DNS NXDOMAIN flood attack is dangerous because it can be difficult to detect. Many DNS server administrators misidentify the slowdown as a performance problem when in actuality it is a NXDOMAIN attack on their DNS server.
How to Mitigate and Prevent a DNS NXDOMAIN Flood Attack
Conducting regular DNS audits is crucial for mitigating such attacks. Monitoring DNS servers and traffic, can deter malicious attacks against the network.
Additional steps include:
- Automatically blackhole suspect domains and servers
- Implement DNS Response Rate Limiting
- Examine the behavior of a client. If a client generates a high rate of NXDOMAIN, NXRRset, or SRVFAIL responses, block requests from that client’s IP address for a configurable period of time.
- Be sure that cache refresh takes place, ensuring continuous service
- Lower the timeout for recursive name lookup to free up resources in the DNS resolver, thus preventing simultaneous outstanding DNS queries from maxing out
- Increase the TTL on existing records as this will ensure records are kept longer in external DNS caches, making it less likely that those records will have to be updated
- Apply rate limiting on traffic to overwhelmed servers