Written by 1:38 pm Domain names, Internet

What is NXDOMAIN?

You have landed on a page that says the domain you requested does not exist? Don’t panic. That is NXDOMAIN! Let’s dive into this topic and explain everything you need to know about this error!

NXDOMAIN – Definition

NXDOMAIN stands for a non-existent domain and represents an error DNS message received by the Recursive DNS server (the client) when the requested domain cannot be resolved to an IP address. In other words, an NXDOMAIN error message simply indicates that the domain does not exist. 

You can guess that your browser landed on such errors if you notice the sad document or the cloud thought bubble. It is the direct way of the Internet of saying, “there is no answer to your query”. In technical terms, it states that the domain name specified in the Domain Name System (DNS) query does not exist. Therefore, only an Authoritative nameserver can return an NXDOMAIN answer. 

Otherwise, if the domain name exists, nameservers and Recursive DNS servers are going to work together to return the positive NOERROR response. Additionally, the precise IP address answer to the DNS query is going to be returned too. We should mention that it is possible to receive a NOERROR response without any specific answers. That appears when the domain name actually exists, but the requested DNS record type doesn’t.

NXDOMAIN on different browsers

Every day users surf via different web browsers, and DNS (Domain Name System) is responsible for connecting the requested domain names to the corresponding IP addresses (IPv4 or IPv6), a process also known as DNS resolution. If the process is successful, they are directed to the desired websites. Yet, if DNS fails to connect a particular user, it receives the NXDOMAIN error message. 

However, every browser has its personal way of showing this error. Here is how it appears on the four most popular browsers: 

  • Google Chrome: On this browser, the error is easily noticeable. A ‘DNS_PROBE_FINISHED_NXDOMAIN’ error message is actually shown on the page, plus the statement that the site cannot be reached. Through a blue button, you can try reloading the website.
Google Chrome NXDOMAIN
  • Mozilla Firefox: With this one, you see an explanation that there is a problem finding the right website and that no connection can be made to the server. Additionally, there are three simple suggestions for solving the problem, plus a reload button.
Mozilla Firefox NXDOMAIN
  • Microsoft Edge: It informs that ‘this page cannot be reached’. Here you also have several suggestions for solving the problem.
Microsoft Edge NXDOMAIN
  • Safari browser: On this browser, you only receive the statement ‘Safari can’t find the page (exampledomain.com) because Safari can’t find the server of (exampledomain.com)’.
Safari NXDOMAIN

How do users trigger NXDOMAIN? 

The NXDOMAIN error message is not a great and desired thing to see. However, it can be useful for exposing criminals attempting to steal your organization’s intellectual property.

Internal NXDOMAIN answers appear when a DNS (Domain Name System) holds no listing for the requested domain. A user on the network can trigger an NXDOMAIN for the following reasons:

  • The user enters a typo when attempting to visit a particular website.
  • The client’s application has an incorrect configuration.
  • A web browser accesses random local domains on startup to try to detect hijacking behavior.
  • The device is infected with a bot using a domain-generating algorithm (DGA) to take part in a botnet.

What does it indicate?

Constantly receiving NXDOMAIN messages can be an early indicator of network problems or security gaps. So, to examine DNS error replies to find security and network performance issues, you would need complete data from DNS logs. By analyzing the data, you can discover more details about the core reason for the failed DNS requests.

Here’s what it can indicate:

  • Beaconing

Malware beaconing allows cybercriminals to understand they’ve successfully infected a system. Afterward, they can send commands and initiate a malicious attack. Commonly it is the first sign of Distributed Denial-of-Service (DDoS) attacks.

The host infected with malware utilizes regular DNS requests in order to hide its beacon. As a result, the signals between the malware and the command-and-control server (C2) look like regular network communications. Therefore, frequent NXDOMAIN responses can indicate that a host is infected. 

  • Reconnaissance and lateral movement

Many advanced persistent threats often act at the back of a network. They remain and search for sensitive information and methods to exfiltrate data to the outside. Yet, this mapping process usually includes a large amount of trial and error. 

Constant NXDOMAIN replies from your local DNS service, where each of them originates from one client, could be an indicator.

  • Issues with DNS zone sync

DNS zones are commonly duplicated in multiple servers to minimize latency and improve reliability. As a result, some users will still get the correct response in case these zones fall out of sync. Yet, others will receive an NXDOMAIN error message for the exact same destination. It all depends on the DNS resolution path. 

Often such cases are quite difficult to debug without any visibility into the internal network traffic. Network admins must trace exact pathways between clients, networks, and servers.

What is an NXDOMAIN attack?

The NXDOMAIN attack is a DNS Flood Attack that involves many DNS lookup requests sent to non-existent domain names, commonly subdomains of the primary domain under attack. These requests are forwarded to the Authoritative DNS server, responsible for the domain name, intending to reach its resource limit. As a result, the server becomes incapable of responding to legitimate requests, making the victim’s website inaccessible to users.

The majority of these attacks are carried out by botnets, which makes the NXDOMAIN attack pretty hard to detect and block.

Detection and prevention of an NXDOMAIN attack

There are some unsophisticated NXDOMAIN attacks that could be more easily detected, like, for instance, catching an out-of-the-ordinary number of requests to non-existent domain names from just one source.

Unfortunately, these attacks are typically initiated with the help of numerous infected devices (botnet) that make their detection way more complicated. They are considered more sophisticated attacks that have the potential to blend in legitimate requests, and noticing them is very challenging. The key to detecting these attacks is to collect and analyze large amounts of data for the patterns of abuse.

The prevention of NXDOMAIN attacks is a pretty tough assignment. However, it all comes down to having large and even excess capacity in order to handle a sudden spike in traffic, plus catching and blocking DNS requests by non-legitimate sources.

Anycast DNS is very helpful in balancing the load, and it will keep your website up and running. Additionally, DNS monitoring and some firewall products are available for examining and protecting a particular network.

Conclusion

So, now you understand what actually NXDOMAIN error message is and how it looks in your browser, and you can easily identify it. Sometimes it can be an everyday problem with an easy fix, while in other cases, it could be a true indicator of a malicious threat. By analyzing and understanding the root cause, you can eliminate potential attacks. Additionally, it is best to implement measures that can help you detect and block NXDOMAIN attacks.

(Visited 736 times, 27 visits today)
Enjoy this article? Don't forget to share.
Tags: , , , , Last modified: December 6, 2022
Close