Introduction
The Passive DNS Replication technology behind Farsight Security’s DNSDB collects query responses from authoritative DNS servers and stores the resource records from those responses in a database. However, there is more value in Passive DNS than just the resource records. What isn’t in the DNS is also sometimes interesting. With that in mind, Farsight Security has launched two new SIE channels: DNS Errors and NXDOMAIN.
Error Values
Why pay attention to DNS failures?
First, let’s review. We know that a resource record in Farsight’s Passive DNS shows that:
- the owner of the domain of the resource record’s name published the resource record’s data under that name,
- someone queried for the resource record’s name, and
- an authoritative DNS server successfully responded with information to complete that query.
The DNS Errors channel focuses on those query results
for which #3 doesn’t happen. It consists of error responses
from authoritative name servers (e.g. SERVFAIL, REFUSED,
NXDOMAIN), in Farsight’s raw Passive DNS format.
The NXDOMAIN channel focuses further in on the NXDOMAIN
errors, and reports them in a more easily consumed format.
These errors occur when #1 also doesn’t happen, leaving
only #2. The NXDOMAIN report is thus a report of someone,
somewhere, querying for something that doesn’t exist.
This failed query could be the result of a user mistyping a web site address, but quite often it is the result of an automated process, such as:
- software querying a defunct provider’s servers for update
- a member of a dead botnet attempting to find its command and control host
- a member of a not necessarily dead DGA (domain generation algorithm) botnet querying pseudorandomly-generated domains to find its command and control
- a mail server, querying a dnsbl.
- software searching the DNS for configuration (e.g., using SRV queries).
Failures in Action
A typical NXDOMAIN payload looks something like:
qname: gdsrr.com. qclass: IN (1) qtype: MX (15) response_ip: 192.33.14.30 soa_rrname: com.
The response_ip is the IPv4 or IPv6 address of the authoritative
nameserver, and soa_rrname is the name the authoritative name server
returned in the start of authority (SOA) record, if any. The latter is
included as a hint to determine in which DNS zone the qname does not
exist. In the above case, the soa_rrname value of com. indicates that
gdsrr.com. does not exist, but com. does.
Note, also, that the failed query was of type “MX”, indicating that someone was attempting to send mail to that domain. Domains which appear in this manner repeatedly can, with a bit of work, make good spamtraps.
Another more interesting form of common query failure looks like:
qname: netATLANTic.COM.MuLTI.SuRBl.ORg. qclass: IN (1) qtype: A (1) response_ip: 62.58.50.220 soa_rrname: MuLTI.SuRBl.ORg.
(The odd capitalization is due to the 0x20 randomization technique for augmenting the DNS query identity.)
The above is a failed query for the domain netatlantic.com in the
SURBL blocklist of domains. The fact that
the query failed indicates that:
- the
netatlantic.comdomain name was referenced in the body of an e-mail, and netatlantic.comis NOT blocked by the SURBL blocklist, which is obviously good!
If you have domains or IP addresses which should not be used in e-mail, blacklist queries for these domains would be very anomalous. Even if your domains or IPs are expected to appear in e-mail, sudden spikes in failed dnsbl queries are also an indicator of something worth investigating.
Conclusion
This is just a glimpse of the information which can be gleaned from DNS query failures. If you would like to take a closer look yourself, don’t hesitate to contact us today!
Chris Mikkelson is a Senior Distributed Systems Engineer for Farsight Security, Inc.
