Abstract background of spheres and lines


The Passive DNS Replication technology behind Farsight Security’s DNSDB collects query responses from authoritative DNS servers and stores the resource records from those responses in a database. However, there is more value in Passive DNS than just the resource records. What isn’t in the DNS is also sometimes interesting. With that in mind, Farsight Security has launched two new SIE channels: DNS Errors and NXDOMAIN.

Error Values

Why pay attention to DNS failures?

First, let’s review. We know that a resource record in Farsight’s Passive DNS shows that:

  1. the owner of the domain of the resource record’s name published the resource record’s data under that name,
  2. someone queried for the resource record’s name, and
  3. an authoritative DNS server successfully responded with information to complete that query.

The DNS Errors channel focuses on those query results for which #3 doesn’t happen. It consists of error responses from authoritative name servers (e.g. SERVFAIL, REFUSED, NXDOMAIN), in Farsight’s raw Passive DNS format.

The NXDOMAIN channel focuses further in on the NXDOMAIN errors, and reports them in a more easily consumed format. These errors occur when #1 also doesn’t happen, leaving only #2. The NXDOMAIN report is thus a report of someone, somewhere, querying for something that doesn’t exist.

This failed query could be the result of a user mistyping a web site address, but quite often it is the result of an automated process, such as:

  • software querying a defunct provider’s servers for update
  • a member of a dead botnet attempting to find its command and control host
  • a member of a not necessarily dead DGA (domain generation algorithm) botnet querying pseudorandomly-generated domains to find its command and control
  • a mail server, querying a dnsbl.
  • software searching the DNS for configuration (e.g., using SRV queries).

Failures in Action

A typical NXDOMAIN payload looks something like:

  qname: gdsrr.com.
  qclass: IN (1)
  qtype: MX (15)
  soa_rrname: com.

The response_ip is the IPv4 or IPv6 address of the authoritative nameserver, and soa_rrname is the name the authoritative name server returned in the start of authority (SOA) record, if any. The latter is included as a hint to determine in which DNS zone the qname does not exist. In the above case, the soa_rrname value of com. indicates that gdsrr.com. does not exist, but com. does.

Note, also, that the failed query was of type “MX”, indicating that someone was attempting to send mail to that domain. Domains which appear in this manner repeatedly can, with a bit of work, make good spamtraps.

Another more interesting form of common query failure looks like:

	qname: netATLANTic.COM.MuLTI.SuRBl.ORg.
	qclass: IN (1)
	qtype: A (1)
	soa_rrname: MuLTI.SuRBl.ORg.

(The odd capitalization is due to the 0x20 randomization technique for augmenting the DNS query identity.)

The above is a failed query for the domain netatlantic.com in the SURBL blocklist of domains. The fact that the query failed indicates that:

  • the netatlantic.com domain name was referenced in the body of an e-mail, and
  • netatlantic.com is NOT blocked by the SURBL blocklist, which is obviously good!

If you have domains or IP addresses which should not be used in e-mail, blacklist queries for these domains would be very anomalous. Even if your domains or IPs are expected to appear in e-mail, sudden spikes in failed dnsbl queries are also an indicator of something worth investigating.


This is just a glimpse of the information which can be gleaned from DNS query failures. If you would like to take a closer look yourself, don’t hesitate to contact us today!

Chris Mikkelson is a Senior Distributed Systems Engineer for Farsight Security, Inc.