Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

DGA NXDOMAIN response   Exploit Attempt Proceeded by Recon

Posted on 2014-11-13
1
Medium Priority
?
1,164 Views
Last Modified: 2015-08-13
I have an alert  from root server,   DNS entry for host 192.228.79.201 is b.root-servers.net, but my Palo Alto router indicates its elicited a DGA NXDOMAIN response.  

My question:  Is this not a real root-server ? or was it spoofed ?
0
Comment
Question by:hcrates
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40442322
Actually DGA NXDomain is primarily to mean the highlighted domain is a DGA-generated (random) domain that a bot queries would result in Non-Existent Domain (NXDomain) responses. It can be a shortlived and not necessary a malicious attempt though this is abnormal, esp not received from the past.

In fact, most of the time the first thinking of such warning alert is that the domain may be already be DNS hijacked or exploited/abused thru scheme like DNS cache poisoning where the true legit value is not response correctly back to DNS queries. The receiver will then flag alerts. The mentioned DNS entry is still valid as I queried and is also stated in http://www.iana.org/domains/root/servers



Maybe good to check the log if there are attempted login or anomalies to the router or ext DNS server. Clear the cache and check again.

For info, such occurence may also be a case if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. And this can in client browser displays the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message. This can also include situation whereby NXDomain is spoofed as responses with intend to bypass certain privacy constraint which ISP is not adhering to hence they send out such responses..

Side track - On infection case such as a malware infested machine, it act like a bot leveraged on DGA domain to call back to their mothership which does not persist long enough for any investigation to be effective and deter the operational aspects for audit trace back. The bot can also be searching for the next victim to spread across the malware by eventually responding the machine in query to connect to it etc.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Read about achieving the basic levels of HRIS security in the workplace.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question