• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1434
  • Last Modified:

DGA NXDOMAIN response Exploit Attempt Proceeded by Recon

I have an alert  from root server,   DNS entry for host 192.228.79.201 is b.root-servers.net, but my Palo Alto router indicates its elicited a DGA NXDOMAIN response.  

My question:  Is this not a real root-server ? or was it spoofed ?
0
hcrates
Asked:
hcrates
1 Solution
 
btanExec ConsultantCommented:
Actually DGA NXDomain is primarily to mean the highlighted domain is a DGA-generated (random) domain that a bot queries would result in Non-Existent Domain (NXDomain) responses. It can be a shortlived and not necessary a malicious attempt though this is abnormal, esp not received from the past.

In fact, most of the time the first thinking of such warning alert is that the domain may be already be DNS hijacked or exploited/abused thru scheme like DNS cache poisoning where the true legit value is not response correctly back to DNS queries. The receiver will then flag alerts. The mentioned DNS entry is still valid as I queried and is also stated in http://www.iana.org/domains/root/servers



Maybe good to check the log if there are attempted login or anomalies to the router or ext DNS server. Clear the cache and check again.

For info, such occurence may also be a case if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. And this can in client browser displays the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message. This can also include situation whereby NXDomain is spoofed as responses with intend to bypass certain privacy constraint which ISP is not adhering to hence they send out such responses..

Side track - On infection case such as a malware infested machine, it act like a bot leveraged on DGA domain to call back to their mothership which does not persist long enough for any investigation to be effective and deter the operational aspects for audit trace back. The bot can also be searching for the next victim to spread across the malware by eventually responding the machine in query to connect to it etc.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now