Introducing NXD

Introduction

The Passive DNS Replication technology behind FarsightSecurity’s DNSDB collects query responses fromauthoritative DNS servers and stores the resourcerecords from those responses in a database. However,there is more value in Passive DNS than just theresource records. What isn’t in the DNS is alsosometimes interesting. With that in mind, FarsightSecurity has launched two new SIE channels: DNS Errorsand NXDOMAIN.

Error Values

Why pay attention to DNS failures?

First, let’s review. We know that a resource record in Farsight’sPassive DNS shows that:

1. the owner of the domain of the resource record’sname published the resource record’s data underthat name,
2. someone queried for the resource record’s name, and
3. an authoritative DNS server successfully respondedwith information to complete that query.

The DNS Errors channel focuses on those query resultsfor which #3 doesn’t happen. It consists of error responsesfrom authoritative name servers (e.g.

SERVFAIL

,

REFUSED

,

NXDOMAIN

), in Farsight’s raw Passive DNS format.

The NXDOMAIN channel focuses further in on the

NXDOMAIN

errors, and reports them in a more easily consumed format.These errors occur when #1 also doesn’t happen, leavingonly #2. The NXDOMAIN report is thus a report of someone,somewhere, querying for something that doesn’t exist.

This failed query could be the result of a user mistypinga web site address, but quite often it is the result ofan automated process, such as:

• software querying a defunct provider’s servers for update
• a member of a dead botnet attempting to find its commandand control host
• a member of a not necessarily dead DGA (domain generation algorithm)botnet querying pseudorandomly-generated domains to find its command andcontrol
• a mail server, querying a dnsbl.
• software searching the DNS for configuration (e.g., usingSRV queries).

Failures in Action

A typical

NXDOMAIN

payload looks something like:

qname: gdsrr.com.
qclass: IN (1)
qtype: MX (15)
response_ip: 192.33.14.30
soa_rrname: com.


The

response_ip

is the IPv4 or IPv6 address of the authoritativenameserver, and

soa_rrname

is the name the authoritative name serverreturned in the start of authority (SOA) record, if any. The latter isincluded as a hint to determine in which DNS zone the

qname

does notexist. In the above case, the

soa_rrname

value of

com.

indicates that

gdsrr.com.

does not exist, but

com.

does.

Note, also, that the failed query was of type “MX”, indicating that someonewas attempting to send mail to that domain. Domains which appearin this manner repeatedly can, with a bit of work, make goodspamtraps.

Another more interesting form of common query failure looks like:

qname: netATLANTic.COM.MuLTI.SuRBl.ORg.
qclass: IN (1)
qtype: A (1)
response_ip: 62.58.50.220
soa_rrname: MuLTI.SuRBl.ORg.


(The odd capitalization is due to the0x20 randomization techniquefor augmenting the DNS query identity.)

The above is a failed query for the domain

netatlantic.com

in the SURBL blocklist of domains. The fact thatthe query failed indicates that:

• the netatlantic.com domain name was referenced in the body of an e-mail, and

netatlantic.com

• is NOT blocked by the SURBL blocklist, which is obviously good!

If you have domains or IP addresses which should not be used in e-mail,blacklist queries for these domains would be very anomalous. Even ifyour domains or IPs are expected to appear in e-mail, sudden spikesin failed dnsbl queries are also an indicator of something worthinvestigating.

Conclusion

This is just a glimpse of the information which can begleaned from DNS query failures. If you would like totake a closer look yourself, don’t hesitate to contact us today!

Chris Mikkelson is a Senior Distributed Systems Engineer for Farsight Security, Inc.