An NXDOMAIN attack is one of various distributed denial-of-service (DDoS) attacks targeting the Domain Name System (DNS). In it, attackers flood a DNS server with a large request volume for records that do not exist or are invalid. As a result, the target DNS proxy server uses up its resources to query an authoritative server, causing both DNS servers to slow down and eventually stop responding.
The most infamous NXDOMAIN attack to date could be that which targeted Dyn, a prominent U.S.-based DNS service provider, back in October 2016.
Read More about “NXDOMAIN Attack”
The NXDOMAIN attack on Dyn had disastrous consequences. It was even said to have “disrupted the Internet,” as it slowed down or even halted the operation of some of the world’s biggest companies, including Twitter, The Guardian, Netflix, Reddit, CNN, and many more.
Who Should Be Wary of NXDOMAIN Attacks?
Apart from DNS service providers like Dyn, other entities should also make it a point to avoid succumbing to NXDOMAIN attacks. The entire list includes:
- Network service providers: Dyn falls under this category, along with any other entity that operates DNS servers. An NXDOMAIN attack can disrupt the operations of many of their customers by rendering their websites and services inaccessible.
- Website owners: All kinds of sites can also be brought down by NXDOMAIN attacks, making them inaccessible to legitimate customers. That could disable them from selling products or offering their services.
- End-users: All affected website and service users will be unable to access the products or services they subscribe to if the provider is attacked.
How Can You Tell If an NXDOMAIN Attack Is Targeting You?
A DNS proxy server, which forwards requests and replies to servers and clients, respectively, that constantly sends invalid requests to the server is most likely under an NXDOMAIN attack. The server will then keep responding with an error message. As the attack ensues, the server
slows down. If that happens, it can’t process even legitimate requests. Eventually, the server stops responding, disrupting the operation of a website or service.
A DNS server suffering from an NXDOMAIN attack has a very high central processing unit (CPU) load and a very high rate of NXDOMAIN reply generation. In this scenario, a typical NXDOMAIN reply is, “The site does not exist.”
Why Do NXDOMAIN Attacks Work?
NXDOMAIN attacks work because they are hard to detect. In fact, several DNS server administrators often think a slowdown is caused by a performance problem instead of an attack.
How Can You Stop an NXDOMAIN Attack?
Regular auditing of DNS servers is critical to thwarting NXDOMAIN attacks. Monitoring server traffic can also stop an ongoing attack if detected early.
Other best practices are:
- Blackhole or shut down domains and servers that you suspect are under attack as soon as you see signs.
- Configure websites and servers to limit DNS response rates.
- Check suspect websites and servers that are generating too many NXDOMAIN, NXRRset (“The type of record doesn’t exist.”), or SRVFAIL (“Something went wrong.”) responses. Block the access of the request sources as well.
- Always ensure that cache refreshes take place on all websites and servers.
- Shorten the timeout for recursive name lookups. That should free up space in DNS servers, preventing the occurrence of too many outstanding queries that can max its resources out.
- Increase the time-to-live (TTL) value on DNS records. That will allow servers to keep existing records (ones users queried before) in their cache.
- If a DNS server is already near its full capacity, to begin with, enable rate limiting on it to keep it from getting overwhelmed.
- Prevent DNS servers from logging nonexistent or invalid domains to free up much-needed resources.
- Keep a backup DNS service provider handy. If one fails (as in the Dyn attack), another can take its place.
- Use a DNS monitoring or firewall solution to detect attacks.
- Keep your DNS server private. If possible, use a dedicated server.
- Check for DNS-related vulnerabilities regularly. Download and install patches as soon as they are made available.
As you’ve seen, DNS servers are an integral part of business operations. If they succumb to an NXDOMAIN attack, chances are users won’t be able to access your website, causing you to lose productivity and even revenue.