Solved

DGA NXDOMAIN response   Exploit Attempt Proceeded by Recon

Posted on 2014-11-13
1
646 Views
Last Modified: 2015-08-13
I have an alert  from root server,   DNS entry for host 192.228.79.201 is b.root-servers.net, but my Palo Alto router indicates its elicited a DGA NXDOMAIN response.  

My question:  Is this not a real root-server ? or was it spoofed ?
0
Comment
Question by:hcrates
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40442322
Actually DGA NXDomain is primarily to mean the highlighted domain is a DGA-generated (random) domain that a bot queries would result in Non-Existent Domain (NXDomain) responses. It can be a shortlived and not necessary a malicious attempt though this is abnormal, esp not received from the past.

In fact, most of the time the first thinking of such warning alert is that the domain may be already be DNS hijacked or exploited/abused thru scheme like DNS cache poisoning where the true legit value is not response correctly back to DNS queries. The receiver will then flag alerts. The mentioned DNS entry is still valid as I queried and is also stated in http://www.iana.org/domains/root/servers



Maybe good to check the log if there are attempted login or anomalies to the router or ext DNS server. Clear the cache and check again.

For info, such occurence may also be a case if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. And this can in client browser displays the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message. This can also include situation whereby NXDomain is spoofed as responses with intend to bypass certain privacy constraint which ISP is not adhering to hence they send out such responses..

Side track - On infection case such as a malware infested machine, it act like a bot leveraged on DGA domain to call back to their mothership which does not persist long enough for any investigation to be effective and deter the operational aspects for audit trace back. The bot can also be searching for the next victim to spread across the malware by eventually responding the machine in query to connect to it etc.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question