Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Watching those DNS logs SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Watching those DNS logs

Among the frantic activity to get all the DNS resolvers patched, very little has been said on how to be on the lookout for DNS poisoning attempts. Irrespective of the attack details, the two possible scenarios seem to be
(1) someone attacks a DNS resolver/forwarder of yours
(2) someone attacks a remote resolver/forwarder to poison a domain you own
The impact of the first scenario would be to draw your own users from, say, to an evil incarnation instead. The impact of the second scenario would be that a customer of yours somewhere else on the world can no longer get to your services and is being redirected to or through an evil third party. The first scenario is what you patched your resolvers against - for the second scenario, you have to hope that all your customers are patched. If you are, for example, a retail bank with a nationwide online presence, chances are that not all your clients (or rather their ISPs) are patched and safe.

From the attack details that have so far been disclosed, scenario (2) involves a high number of queries for bogus names in the domain that you own. Your authoritative DNS server will respond with "NXDOMAIN" (no such domain) to all these requests, but every such query provides the attacker with a chance to inject a bogus reply to poison the querying resolver of your client's ISP. has a Snort rule (sid:2008470) to catch an excessive number of NXDOMAIN replies received by your resolver. This covers scenario (1). Scenario (2) would require a way to watch for a high number NXDOMAIN answers sent by your own authoritative DNS server. A quick check we made turned out that neither BIND9 nor MS-DNS seem to offer any easy way to log NXDOMAIN answers of your DNS server without going into debug-dump-it-all mode. The statistics collected by BIND keep track of sent NXDOMAIN records in the "SNXD" counter, but that's about it.

If you have any good suggestions on how to watch for a high number of queries for nonexisting hosts in your domain, or for a high number of NXDOMAIN replies leaving your DNS server, please let us know.


367 Posts
ISC Handler
Aug 5th 2008
While I dont have a good answer to this logging problem yet. There is a Splunk app, which monitors DNS activity on Bind servers. The link is:
Use Sagan. Sagan rules are a lot like Snort but is used for log analysis instead of packet analysis.

In this case, I'd create a rule (if one doesn't already exist!) to watch for a high number of NXDOMAIN's. To do this, I might do something like this:

alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg:"Large number of NXDOMAIN detected"; content: "NXDOMAN"; parse_src_ip: 1; parse_port; classtype: suspicious-traffic; program: named; after: track by_src, count 100, seconds 30; threshold: type limit, track by_src, count 5, seconds 300; sid: 999999; rev:1;)

If Sagan "see's" 100 NXDOMAIN from the program bind ("named") in 30 seconds, it will sound off an alarm. In order not to flood you console (for example, Snorby) with millions of these events, we'll threshold after 5 alerts are sent in a 5 minute period.

Keep in mind, this rule is off the top of my head. However, it should give you a good idea about real time detection of rapid NXDOMAINs.

More information on Sagan can be found at

Sign Up for Free or Log In to start participating in the conversation!