A NXDOMAIN attack is a type of DNS Flood Attack where an overwhelming number of DNS lookup requests are sent to non-existent domain names, typically subdomains of the primary domain under attack. These requests are then forwarded on to the authoritative DNS server which is responsible for the domain name with the intention of starving the server of resources which in turn will be unable to respond to legitimate requests ultimately making the website or service unavailable to users.
NXDOMAIN attacks can affect network providers, website owners, as well as end-users & customers.
Network Providers - Network providers operating DNS servers are affected by this attack type as they are running the servers responsible for handling the requests. If they are unable to handle or mitigate the attack, then this may lead to many of their customers and their websites and services being inaccessible.
Website Owners - Website or other service providers (eg VoIP, email, game servers, etc) are typically the intended victim of NXDOMAIN attacks and are affected by having their service becoming inaccessible to legitimate customers which may mean they are unable to sell their products or offer their services.
Users & Customers - End users become unable to access the products or services offered by the website or service under attack. Additionally, users of other websites may also be affected if they share a common DNS server provider which has been attacked.
NXDOMAIN attacks are performed by sending a large number of DNS requests for domain names that do not exist. The domain names are usually randomly generated and unlikely to exist, for example adsf83s8ds.example.com. Typically, these attacks are carried out by botnets consisting of many thousands of compromised devices located all around the world which makes this type of DNS attack hard to detect and block.
Detecting an unsophisticated NXDOMAIN attack can be easy as detecting an out of the ordinary number of requests to non-existent domain names from a single source.
However, these attacks are typically performed by many thousands of sources at the same time and more sophisticated attacks may mix in legitimate requests in order to circumvent detection.
Ultimately, gathering and analysing enough data for patterns of abuse is what is required to detect these attacks.
Preventing NXDOMAIN attacks can be a tricky task but comes down to having enough excess capacity to handle a sudden surge in traffic as well as detecting and blocking requests by illegitimate clients.
Commercial DNS monitoring and firewall products are available for protecting network providers running their own DNS servers as well as the option of using DNS server providers who use these products for their own customers domain names under management.
