This article explains NXDOMAIN responses, how they differ from other DNS response types, and how to identify normal versus potentially malicious query patterns such as DNS enumeration.
What Is an NXDOMAIN Response
An NXDOMAIN response occurs when a DNS query is made for a hostname that does not exist within a zone.
NXDOMAIN vs NOERROR vs SERVFAIL
If a domain exists as a zone on a DNS server and a query is made for a hostname within that domain, the response depends on whether the hostname exists.
- If the hostname exists, regardless of record type, the response is NOERROR
- If the hostname does not exist, the response is NXDOMAIN
- If the domain itself does not exist as a zone on the server, the response is SERVFAIL
Common Non-Malicious Causes of NXDOMAIN
- Queries for hostnames that previously existed but have been removed or are being reconfigured
- Queries for hostnames that are referenced publicly but not yet created in DNS
- Internal DNS leakage, where internal corporate queries are sent to public DNS infrastructure
Common Malicious NXDOMAIN Patterns
Malicious activity often involves a large number of unique queried names, each with a small number of queries.
In some cases, there may be hundreds of thousands to millions of unique queried names within a domain. Available reporting tools may not directly show this value, so inference is required based on observable patterns.
Indicators of Potentially Malicious Activity
- Multiple domains with only NXDOMAIN responses or a very high percentage of NXDOMAIN traffic
- A low percentage of total NXDOMAIN queries accounted for by the top queried hostnames
- A large number of hostnames receiving only a small number of queries each
How to Evaluate NXDOMAIN Distribution
To determine whether NXDOMAIN responses are contributing to high query volume, review query analytics and identify domains with the highest NXDOMAIN counts.
Export NXDOMAIN data for those domains and compare the total number of queries to the sum of the top queried hostnames. If the top results account for only a small portion of total NXDOMAIN traffic, and many additional hostnames exist with low query counts, this may indicate automated enumeration activity.
Impact of Wildcard Records
Wildcard records can reduce NXDOMAIN responses by returning valid answers instead of NXDOMAIN.
However, enumeration activity can still be identified by analyzing query distribution across hostnames. Even with wildcard responses, each unique queried name generates a separate entry in reporting, which can be used to identify similar patterns.
What Is DNS Enumeration
DNS enumeration is a technique used to discover valid hostnames or generate large volumes of DNS queries.
It can be used for reconnaissance to identify existing services, or for service disruption by generating large numbers of unique queries. These queries often use dictionary-based subdomains and result in many NXDOMAIN or wildcard responses.
Prevalence of DNS Enumeration
DNS enumeration activity has increased over time and continues to be observed across DNS infrastructure.
Traffic Handling and Mitigation
Some attack traffic is mitigated automatically. If traffic exceeds certain thresholds, it may be routed through filtering systems to reduce impact on DNS resolution.
Lower-volume traffic that does not disrupt resolution is typically absorbed without mitigation.
Common Enumeration Wordlists
Special Characters in Query Reports
Certain characters may appear in DNS query reporting and have specific meanings.
- '_' is commonly generated by recursive resolvers such as BIND9. These queries are typically made alongside standard queries and are more frequent when hostnames contain multiple subdomain levels.
- '#' is used in reporting when query volume exceeds a threshold within a short time period. Instead of logging individual hostnames, queries are aggregated under a placeholder format.
- '*' represents a literal asterisk in the queried name. It is not related to wildcard DNS records and is not considered a valid query pattern.
Are These Queries Malicious
The presence of these query patterns alone does not always indicate malicious activity.
- '_' queries are generally not malicious by themselves but may appear more frequently during large-scale query activity
- '#' patterns often indicate automated or scripted query behavior
- '*' queries are not valid and may result from misconfiguration or malicious activity, requiring further analysis