What is a DNS NXDOMAIN Flood DDoS Attack?
In a DNS NXDOMAIN flood DDoS attack, the attacker overwhelms the Domain Name System (DNS) server with a large volume of requests for records that are non-existent or invalid. These state exhaustion DDoS attacks will in most cases be handled by a DNS Proxy server, which will then use up most, if not all, of its resources querying the DNS Authoritative server with these records. This will, in most cases, result in both the DNS Proxy server and the DNS Authoritative server using up all their time handling those bad requests, slowing response for legitimate requests and eventually, stopping responses all together. This is precisely what happened when DYN, a major DNS provider in USA, was attacked in October 2016.
What Are the Signs of a DNS NXDOMAIN Flood DDoS Attack?
When a DNS Proxy server is under a DNS NXDOMAIN Flood DDoS attack, it will constantly send the invalid requests to the respective DNS Authoritative server. As these requests are invalid, the Authoritative server will respond with a NXDOMAIN error response which will be passed back to the client. As the volume of invalid requests increases, the Authoritative server will quickly slow down, resulting in legitimate requests not getting a response. The legitimate clients will then retry the requests, resulting in the load increasing even further on both the Proxy server and the Authoritative server.
The signs of such a DDoS attack are very high CPU load on the DNS servers and a very high rate of NXDOMAIN replies being generated.
Why is a DNS NXDOMAIN Flood DDoS Attack Dangerous?
A DNS NXDOMAIN flood DDoS attack is dangerous because it can be difficult to detect. Many DNS server administrators misidentify the slowdown as a performance problem when in actuality it is a NXDOMAIN attack on their DNS server.
How to Mitigate and Prevent a DNS NXDOMAIN Flood DDoS Attack
Conducting regular DNS audits is crucial for mitigating such attacks. Monitoring DNS servers and traffic, can deter malicious attacks against the network.
Additional steps include:
- Automatically blackhole suspect domains and servers
- Implement DNS Response Rate Limiting
- Examine the behavior of a client. If a client generates a high rate of NXDOMAIN, NXRRset, or SRVFAIL responses, block requests from that client’s IP address for a configurable period of time.
- Be sure that cache refresh takes place, ensuring continuous service
- Lower the timeout for recursive name lookup to free up resources in the DNS resolver, thus preventing simultaneous outstanding DNS queries from maxing out
- Increase the TTL on existing records as this will ensure records are kept longer in external DNS caches, making it less likely that those records will have to be updated
- Apply rate limiting on traffic to overwhelmed servers
How can NETSCOUT help?
NETSCOUT's Arbor DDoS solution has been protecting the world's largest and most demanding networks from DDoS attacks for more than a decade. We strongly believe that the best way to protect your resources from modern DDoS attacks is through a multi-layer deployment of purpose-built DDoS mitigation solutions.
Only with a tightly integrated, multi-layer defense can you adequately protect your organization from the full spectrum of DDoS attacks.
Arbor SP/Threat Mitigation System
NETSCOUT customers enjoy a considerable competitive advantage by getting both a micro view of their own network, via our products, combined with a macro view of global Internet traffic, via NETSCOUT Omnis Threat Horizon, an interface to our ATLAS threat intelligence and a DDoS Attack Map visualization.
Related Resources
State Exhaustion DDoS Attacks
Find out everything you need to know about state-exhaustion DDoS attacks and learn how to protect your network infrastructure.
Digital Attack Map
Click here to view a live global map of DDoS attack activity through NETSCOUT Omnis Threat Horizon.
ASERT Blog
Read the latest news and insights from NETSCOUT’s world-class security researchers and analysts.