What is a DNS NXDOMAIN Flood DDoS Attack?

What is a DNS Water Torture Attack?

In an NXDOMAIN, or DNS Water Torture DDoS attack, the attacker overwhelms the Domain Name System (DNS) server with a large volume of requests for non-existent or invalid records. In most cases, these state exhaustion DDoS attacks will be handled by a DNS Proxy server, which will then use up most, if not all, of its resources querying the DNS Authoritative server with these records. 

This will, in most cases, result in both the DNS Proxy server and the DNS Authoritative server using up all their time handling those bad requests, slowing response for legitimate requests and eventually, stopping responses all together. This is precisely what happened when DYN, a major DNS provider in USA, attacked in October 2016.

What is the meaning of NXDOMAIN?

NXDOMAIN means that the domain is non-existent, providing a DNS error message that is received by the client (Recursive DNS server). This happens when the domain has been requested but cannot be resolved to a valid IP address. All in all, NXDOMAIN error messages simply mean that the domain does not exist.

What Are the Signs of a DNS NXDOMAIN Flood Attack?

What Are the Signs of a DNS Water Torture DDoS Attack?

A DNS Proxy server under a DNS Water Torture attack will constantly send invalid requests to the respective DNS Authoritative server. As these requests are invalid, the Authoritative server will respond with a NXDOMAIN error response, which will be passed back to the client. 

As the volume of invalid requests increases, the Authoritative server will quickly slow down, resulting in legitimate requests not getting a response. The legitimate clients will then retry the requests, increasing the load even further on both the Proxy server and the Authoritative server.

The signs of such a DDoS attack are a high CPU load on the DNS servers, and a high rate of NXDOMAIN replies being generated.

Why is a DNS NXDOMAIN Flood Attack Dangerous?

Why is a DNS Water Torture Attack Dangerous?

A DNS Water Torture attack is dangerous because it can be difficult to detect. Many DNS server administrators misidentify the slowdown as a performance problem when in actuality it is a NXDOMAIN attack on their DNS server.

How to Mitigate and Prevent a DNS NXDOMAIN Flood Attack

How to Mitigate and Prevent a DNS NXDOMAIN Flood DDoS Attack

Conducting regular DNS audits is crucial for mitigating such attacks. Monitoring DNS servers and traffic, can aid in DNS DDoS protection on the network.


Additional steps include:

  • Automatically blackhole suspect domains and servers
  • Implement DNS Response Rate Limiting
  • Examine the behavior of a client. If a client generates a high rate of NXDOMAIN, NXRRset, or SRVFAIL responses, block requests from that client’s IP address for a configurable period of time.
  • Be sure that cache refresh takes place, ensuring continuous service
  • Lower the timeout for recursive name lookup to free up resources in the DNS resolver, thus preventing simultaneous outstanding DNS queries from maxing out
  • Increase the TTL on existing records as this will ensure records are kept longer in external DNS caches, making it less likely that those records will have to be updated
  • Apply rate limiting on traffic to overwhelmed servers

How can NETSCOUT help?

NETSCOUT's Arbor DDoS solution has been protecting the world's largest and most demanding networks from DDoS attacks for more than a decade. We strongly believe that the best way to protect your resources from modern DDoS attacks is through a multi-layer deployment of purpose-built DDoS mitigation solutions.

Only with a tightly integrated, multi-layer defense can you adequately protect your organization from the full spectrum of DDoS attacks.

Arbor Cloud

Tightly integrated, multi-layer DDoS protection

Arbor Edge Defense


Arbor SP/Threat Mitigation System

High Capacity On-Premise Solution for Large Organizations

NETSCOUT customers enjoy a considerable competitive advantage by getting both a micro view of their own network, via our products, combined with a macro view of global Internet traffic, via NETSCOUT Omnis Threat Horizon, an interface to our ATLAS threat intelligence and a DDoS Attack Map visualization.