What is NXDOMAIN?

You have landed on a page that says the domain you requested does not exist? Don’t panic. That is NXDOMAIN! Let’s dive into this topic and explain everything you need to know about this error!

NXDOMAIN – Definition

NXDOMAIN stands for a non-existent domain and represents an error DNS message received by the Recursive DNS server (the client) when the requested domain cannot be resolved to an IP address. In other words, an NXDOMAIN error message simply indicates that the domain does not exist. 

You can guess that your browser landed on such errors if you notice the sad document or the cloud thought bubble. It is the direct way of the Internet of saying, “there is no answer to your query”. In technical terms, it states that the domain name specified in the Domain Name System (DNS) query does not exist. Therefore, only an Authoritative nameserver can return an NXDOMAIN answer. 

Otherwise, if the domain name exists, nameservers and Recursive DNS servers are going to work together to return the positive NOERROR response. Additionally, the precise IP address answer to the DNS query is going to be returned too. We should mention that it is possible to receive a NOERROR response without any specific answers. That appears when the domain name actually exists, but the requested DNS record type doesn’t.

Impact of NXDOMAIN Errors

Let’s talk about why those errors can be a headache for everyone involved – users and website administrators. It’s like when you’re all set for a road trip, but suddenly, there’s a detour sign, and you have to take a different route. NXDOMAIN errors are like those unexpected route signs in the digital world, messing up the plans and leaving people scratching their heads. The impact of these errors can be the following:

• For Users: So, you’re surfing the Internet, looking for something interesting, and bam! NXDOMAIN hits you. It’s like hitting a roadblock in your online journey. And you know how it feels when your favourite road is closed – frustration kicks in. Users might throw their hands up and say, “I’m out!” Plus, if it keeps happening, people start wondering if the website is having a bad day, and that’s not great for anyone.
• For Websites: Now, imagine you’re running a website or a business online. NXDOMAIN errors mean people can’t reach you. That’s potential customers lost, revenue slipping away, and your website’s reputation taking a hit. It’s like having a store with a “Closed” sign on the door – not a good look! Search engines also notice when your site isn’t playing nice, affecting how easily people find you online. And, let’s be honest, if customers can’t rely on your website, they might start looking elsewhere.

NXDOMAIN on different browsers

Every day users surf via different web browsers, and DNS (Domain Name System) is responsible for connecting the requested domain names to the corresponding IP addresses (IPv4 or IPv6), a process also known as DNS resolution. If the process is successful, they are directed to the desired websites. Yet, if DNS fails to connect a particular user, it receives the NXDOMAIN error message. 

However, every browser has its personal way of showing this error. Here is how it appears on the four most popular browsers: 

• Google Chrome: On this browser, the error is easily noticeable. A ‘DNS_PROBE_FINISHED_NXDOMAIN’ error message is actually shown on the page, plus the statement that the site cannot be reached. Through a blue button, you can try reloading the website.

• Mozilla Firefox: With this one, you see an explanation that there is a problem finding the right website and that no connection can be made to the server. Additionally, there are three simple suggestions for solving the problem, plus a reload button.

• Microsoft Edge: It informs that ‘this page cannot be reached’. Here you also have several suggestions for solving the problem.

• Safari browser: On this browser, you only receive the statement ‘Safari can’t find the page (exampledomain.com) because Safari can’t find the server of (exampledomain.com)’.

How do users trigger NXDOMAIN? 

The NXDOMAIN error message is not a great and desired thing to see. However, it can be useful for exposing criminals attempting to steal your organization’s intellectual property.

Internal NXDOMAIN answers appear when a DNS (Domain Name System) holds no listing for the requested domain. A user on the network can trigger an NXDOMAIN for the following reasons:

• The user enters a typo when attempting to visit a particular website.
• The client’s application has an incorrect configuration.
• A web browser accesses random local domains on startup to try to detect hijacking behavior.
• The device is infected with a bot using a domain-generating algorithm (DGA) to take part in a botnet.

What does it indicate?

Constantly receiving NXDOMAIN messages can be an early indicator of network problems or security gaps. So, to examine DNS error replies to find security and network performance issues, you would need complete data from DNS logs. By analyzing the data, you can discover more details about the core reason for the failed DNS requests.

Here’s what it can indicate:

• Beaconing

Malware beaconing allows cybercriminals to understand they’ve successfully infected a system. Afterward, they can send commands and initiate a malicious attack. Commonly it is the first sign of Distributed Denial-of-Service (DDoS) attacks.

The host infected with malware utilizes regular DNS requests in order to hide its beacon. As a result, the signals between the malware and the command-and-control server (C2) look like regular network communications. Therefore, frequent NXDOMAIN responses can indicate that a host is infected. 

• Reconnaissance and lateral movement

Many advanced persistent threats often act at the back of a network. They remain and search for sensitive information and methods to exfiltrate data to the outside. Yet, this mapping process usually includes a large amount of trial and error. 

Constant NXDOMAIN replies from your local DNS service, where each of them originates from one client, could be an indicator.

• Issues with DNS zone sync

DNS zones are commonly duplicated in multiple servers to minimize latency and improve reliability. As a result, some users will still get the correct response in case these zones fall out of sync. Yet, others will receive an NXDOMAIN error message for the exact same destination. It all depends on the DNS resolution path. 

Often such cases are quite difficult to debug without any visibility into the internal network traffic. Network admins must trace exact pathways between clients, networks, and servers.

What is the difference between NXDOMAIN and SERVFAIL?

Both NXDOMAIN (Non-Existent Domain) and SERVFAIL (Server Failure) are response codes in the Domain Name System (DNS). However, they indicate completely different types of errors.

• NXDOMAIN (Non-Existent Domain): It signifies that the queried domain name does not exist. The Recursive DNS server searched for the requested domain name, but it didn’t find DNS records associated with it. It indicates that the domain name you’re trying to access doesn’t exist on the Internet.
• SERVFAIL (Server Failure): This response code indicates that there was an issue or failure in the DNS server’s ability to fulfil the DNS request properly. It indicates that there might be a problem with the DNS server itself or its ability to communicate and process the query effectively. SERVFAIL can occur due to various reasons, such as misconfiguration, network issues, or the DNS server being overwhelmed.

In summary, NXDOMAIN indicates that the queried domain doesn’t exist, while SERVFAIL indicates a failure or problem with the DNS server itself when trying to process the query.

What is an NXDOMAIN attack?

The NXDOMAIN attack is a DNS Flood Attack that involves many DNS lookup requests sent to non-existent domain names, commonly subdomains of the primary domain under attack. These requests are forwarded to the Authoritative DNS server, responsible for the domain name, intending to reach its resource limit. As a result, the server becomes incapable of responding to legitimate requests, making the victim’s website inaccessible to users.

Suggeste article: The basics of flood attacks

The majority of these attacks are carried out by botnets, which makes the NXDOMAIN attack pretty hard to detect and block.

Detection and prevention of an NXDOMAIN attack

There are some unsophisticated NXDOMAIN attacks that could be more easily detected, like, for instance, catching an out-of-the-ordinary number of requests to non-existent domain names from just one source.

Unfortunately, these attacks are typically initiated with the help of numerous infected devices (botnet) that make their detection way more complicated. They are considered more sophisticated attacks that have the potential to blend in legitimate requests, and noticing them is very challenging. The key to detecting these attacks is to collect and analyze large amounts of data for the patterns of abuse.

The prevention of NXDOMAIN attacks is a pretty tough assignment. However, it all comes down to having large and even excess capacity in order to handle a sudden spike in traffic, plus catching and blocking DNS requests by non-legitimate sources.

Anycast DNS is very helpful in balancing the load, and it will keep your website up and running. Additionally, DNS monitoring and some firewall products are available for examining and protecting a particular network.

Conclusion

So, now you understand what actually NXDOMAIN error message is and how it looks in your browser, and you can easily identify it. Sometimes it can be an everyday problem with an easy fix, while in other cases, it could be a true indicator of a malicious threat. By analyzing and understanding the root cause, you can eliminate potential attacks. Additionally, it is best to implement measures that can help you detect and block NXDOMAIN attacks.

Tags: non-existent domain, NXDOMAIN, NXDOMAIN attack, NXDOMAIN error, NXDOMAIN error message Last modified: January 9, 2024