Solved

DGA NXDOMAIN response   Exploit Attempt Proceeded by Recon

Posted on 2014-11-13
1
797 Views
Last Modified: 2015-08-13
I have an alert  from root server,   DNS entry for host 192.228.79.201 is b.root-servers.net, but my Palo Alto router indicates its elicited a DGA NXDOMAIN response.  

My question:  Is this not a real root-server ? or was it spoofed ?
0
Comment
Question by:hcrates
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40442322
Actually DGA NXDomain is primarily to mean the highlighted domain is a DGA-generated (random) domain that a bot queries would result in Non-Existent Domain (NXDomain) responses. It can be a shortlived and not necessary a malicious attempt though this is abnormal, esp not received from the past.

In fact, most of the time the first thinking of such warning alert is that the domain may be already be DNS hijacked or exploited/abused thru scheme like DNS cache poisoning where the true legit value is not response correctly back to DNS queries. The receiver will then flag alerts. The mentioned DNS entry is still valid as I queried and is also stated in http://www.iana.org/domains/root/servers



Maybe good to check the log if there are attempted login or anomalies to the router or ext DNS server. Clear the cache and check again.

For info, such occurence may also be a case if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. And this can in client browser displays the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message. This can also include situation whereby NXDomain is spoofed as responses with intend to bypass certain privacy constraint which ISP is not adhering to hence they send out such responses..

Side track - On infection case such as a malware infested machine, it act like a bot leveraged on DGA domain to call back to their mothership which does not persist long enough for any investigation to be effective and deter the operational aspects for audit trace back. The bot can also be searching for the next victim to spread across the malware by eventually responding the machine in query to connect to it etc.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question