An NXDomain attack, sometimes called a “phantom domain attack” is a type of Distributed Denial of Service (DDoS) attack that targets both authoritative and recursive (resolver) DNS servers. Attackers flood the server with requests for nonexistent domain names or Fully-Qualified Domain Names (FQDNs), causing it to waste resources (network, processor, memory, log processing, and storage) on invalid lookups and responses.
NXDOMAIN attacks overwhelm the authoritative server for a domain, potentially rendering it unresponsive, which disrupts legitimate access to websites and online services. This type of attack can lead to significant downtime, financial losses, and reputational damage for targeted organizations.
Want to learn more? Read our blog, “What is this NXDomain DNS Query Response and Why do I Have Them?”
What does NXDOMAIN mean?
NXDOMAIN stands for “Non-Existent Domain” and refers to a specific error code in the Domain Name System (DNS) network protocols. When a DNS resolver looks up a FQDN that doesn’t exist in the authoritative server’s zone records, the server returns an NXDOMAIN response. This response indicates that the requested domain name cannot be resolved because it doesn’t exist. It’s a standard part of DNS, as defined in RFC-1034 and RFC-2308, where an NXDOMAIN error is synonymous with a “name error” response. Common causes include typographical errors, expired or deleted domains, zone enumeration tools such as dnsenum, or queries for domains that never existed.
How does a DNS NXDOMAIN attack work?
Attackers use the NXDOMAIN flood or phantom domain attack method as a DDoS vector. Generating high volumes of queries for non-existent FQDNs and domains causes a cascading effect across different types of servers. Recursive DNS servers, which typically handle queries from users, must forward these invalid requests to authoritative servers, potentially amplifying the attack’s impact. The flood of requests can exhaust the DNS server’s resources, making legitimate DNS queries for websites slow or entirely unresolvable.
Lower volumes of NXDOMAIN attacks are caused by zone enumeration tools such as dnsenum or fierce. These reconnaissance tools use a dictionary of words to create FQDNs inside of the target domain, make a query against the FQDN, and examine the query response to see if that FQDN exists as a resource record inside the target domain.
A variation of NXDOMAIN attacks is the “Watering Hole Attack”, where the attacker prepends random alphanumeric values to the target domain to make a FQDN and makes a query for it.
Impact on DNS servers and businesses.
NXDOMAIN attacks, particularly at larger volumes as part of a DDoS attack, lead to significant downtime, financial losses, and reputational damage for businesses. The influx of invalid queries floods out network servers and DNS servers and causes service unavailability or performance degradation. This inflated DNS traffic hinders legitimate queries and increases costs.
Defending against NXDOMAIN attacks.
While NXDOMAIN DNS responses are a normal part of DNS resolution, when malicious actors exploit them through NXDOMAIN flood or phantom domain attacks, they can cause an outsized impact to DNS infrastructure. Understanding these attacks and implementing preventive measures can help ensure the continued reliability of DNS services. Several mitigation strategies can protect against NXDOMAIN-based attacks. These include:
- Overprovisioning: using managed authoritative DNS service providers with adequate capacity to respond to an increase in query volume.
- DDoS mitigation services: Employing services like UltraDDoS Protect to scrub malicious traffic before it reaches DNS servers.
- Network and query rate limiting: This helps prevent a DDoS impact to servers by setting a threshold on how many network bits or DNS queries a source IP address can make before it is blocked.
- DNS anycast: Distributing DNS traffic across multiple servers and points of presence reduces the risk of a single server becoming overwhelmed.
- NXDOMAIN TTL optimization: Adjusting the TTL value for NXDOMAIN responses can minimize the load on recursive DNS servers by caching negative responses for a set period.
How Vercara can help.
Vercara’s authoritative managed DNS service, UltraDNS, is built to be resistant to NXDOMAIN attacks and other DDoS attacks through several controls:
- Multiple and redundant Points of Presence
- Using network anycast to route traffic to the most optimum set of authoritative servers
- Segmentation of nameservers to reduce the impact of
- Using UltraDDoS Protect to mitigate larger or complex attacks
Organizations that host their own DNS servers can use Vercara UltraDDoS Protect to mitigate NXDOMAIN attacks or any other DDoS attacks against their DNS servers or any other services on their network blocks. For more details, read our blog, “How UltraDNS Can Protect Against a New Wave of Attacks.”
Organizations that host their own DNS servers can use UltraDNS as a secondary set of DNS servers synced with a domain transfer (AXFR), manual changes, or via the UltraDNS API (Application Programming Interface).
While NXDOMAIN attacks can cause availability issues and latency in DNS servers and related services, Vercara offers several solutions and features that can help organizations eliminate the impact of these DDoS attacks and keep their services up and operational on a hostile Internet.
