NF - Generic - Large number of NXDOMAIN replies

NF – Generic – Large number of NXDOMAIN replies

This alert is triggered when a large number of NXDOMAIN responses (non-existent domain replies) are received from external DNS servers. A high frequency of NXDOMAIN replies may indicate potential malicious activity like DNS tunneling or reconnaissance.

Categories:

Radiflow

ID Number

5018801

Signature

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"NF - Generic - Large number of NXDOMAIN replies"; content:!"|07|spamcop|03|net"; content:!"|10|spameatingmonkey|03|net"; content:!"|08|spamhaus|03|org"; content:!"|05|sorbs|03|net"; content:!"|14|support-intelligence|03|net"; content:!"|05|surbl|03|org"; flow:to_client; byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; detection_filter:track by_src, count 120, seconds 60; reference:url,networkforensic.dk; metadata:25102015; classtype:misc-activity; sid:5018801; rev:5;)

Severity

High

Recommendations/Investigative actions

Determine which internal device is causing these NXDOMAIN responses to assess if the behavior is expected or suspicious. Check the device for DNS misconfigurations, adware, or malware that may be generating invalid domain queries. Implement rate limiting for DNS requests.