Solved

DGA NXDOMAIN response   Exploit Attempt Proceeded by Recon

Posted on 2014-11-13
1
499 Views
Last Modified: 2015-08-13
I have an alert  from root server,   DNS entry for host 192.228.79.201 is b.root-servers.net, but my Palo Alto router indicates its elicited a DGA NXDOMAIN response.  

My question:  Is this not a real root-server ? or was it spoofed ?
0
Comment
Question by:hcrates
1 Comment
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40442322
Actually DGA NXDomain is primarily to mean the highlighted domain is a DGA-generated (random) domain that a bot queries would result in Non-Existent Domain (NXDomain) responses. It can be a shortlived and not necessary a malicious attempt though this is abnormal, esp not received from the past.

In fact, most of the time the first thinking of such warning alert is that the domain may be already be DNS hijacked or exploited/abused thru scheme like DNS cache poisoning where the true legit value is not response correctly back to DNS queries. The receiver will then flag alerts. The mentioned DNS entry is still valid as I queried and is also stated in http://www.iana.org/domains/root/servers



Maybe good to check the log if there are attempted login or anomalies to the router or ext DNS server. Clear the cache and check again.

For info, such occurence may also be a case if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. And this can in client browser displays the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message. This can also include situation whereby NXDomain is spoofed as responses with intend to bypass certain privacy constraint which ISP is not adhering to hence they send out such responses..

Side track - On infection case such as a malware infested machine, it act like a bot leveraged on DGA domain to call back to their mothership which does not persist long enough for any investigation to be effective and deter the operational aspects for audit trace back. The bot can also be searching for the next victim to spread across the malware by eventually responding the machine in query to connect to it etc.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Read about achieving the basic levels of HRIS security in the workplace.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now