Are you interested in monitoring BYOD traffic headed to the Internet for security threats? You should be paying close attention to DNS traffic, specifically NXDOMAIN. The NXDOMAIN is a DNS message type received by the DNS resolver (i.e. client) when a request to resolve a domain is sent to the DNS and cannot be resolved to an IP address. An NXDOMAIN error message means that the domain does not exist.
Why Clients Trigger NXDOMAIN
If you are not terribly familiar with the DNS process, I suggest you read the post titled An Overview of DNS. Although an NXDOMAIN response can be a bad thing, it can help uncover bad actors trying to steal your company’s intellectual property.
Internal NXDOMAIN responses are created when a DNS has no listing for the domain requested. A device on the network triggers an NXDOMAIN back from the DNS for several reasons:
- A user enters a typo when trying to visit a website
- An application on the client is miss-configured
- A Chrome web browser reaches out to random local domains on startup to try and detect hijacking
- A device is infected with a bot utilizing a domain generating algorithm (DGA) in order to participate in a botnet.
Some vendors like McAfee and SonicWall use unresolvable 3rd, 4th, 5th, 6th, etc. level domains that can’t be resolved as a type of phone home data collection methodology. See the screen capture below:
Above we see a client that continues to receive NXDOMAIN responses for a 3rd or 4th level domain it is trying to resolve that ends with the 2nd level domain of webcfs03.com (Dell – SonicWALL).
When we see high numbers of NXDOMAIN replies for 2nd level domains such as mcafee.com or webcfs03.com and we know we have applications from these vendors on our network, we need to ignore or whitelist them from our monitoring DNS NXDOMAIN practices or else false positives will ensue. Read the post on Security Vendors Helping Bad Actors Get Past Firewalls to understand why vendors deliberately trigger NXDOMAIN responses by reaching out to domains that don’t exist. It’s really clever, but sort of disturbing.
Why You Should Monitor DNS NXDOMAIN
The reason you want to be monitoring DNS NXDOMAIN responses is because some forms of malware (largely bots) leverage domain generating algorithms (DGA) to try and reach the Command and Control (C&C). It is possible to see hundreds, and sometimes thousands, of requests per day being generated by the DGA utilized by the malware. Most randomly generated domains requested by an infected host will trigger an NXDOMAIN response from the DNS. If you monitor DNS NXDOMAIN requests and keep score per client, you can raise awareness of suspicious behaviors, but you still shouldn’t trigger alarms without further investigation. After all, you don’t want any false positives and remember, you have to whitelist domains like mcafee.com and webcfs03.com if you know that NXDOMAIN responses for these domains are necessary and required by certain internal software packages. After excluding the obvious stuff, you have to add logic to look for activities from suspicious clients such as:
- Reaching out to a domain that is on a black list for having a poor reputation
- Reaching out to sites such as http://whatismyipaddress.com/ to determine the Internet-facing IP address which the malware sends onto the C&C. This allows the bad actors behind the C&C to determine if the infected company that resolves to the IP address is worth trying to penetrate deeper with a more targeted attack.
The FlowPro Defender™ is a virtual or hardware-based appliance that passively listens to IPv4 and IPv6 traffic, creates flows, and then sends them off to the NetFlow and IPFIX collector at wire speeds.