The Relentless Drip: Why You Need to Shore Up Your Defences Against NXDOMAIN Attacks

The Relentless Drip: Why You Need to Shore Up Your Defences Against NXDOMAIN Attacks

As CEOs, it’s our responsibility to understand the critical role of our online presence in today’s digital marketplace. Our websites are the shopfronts of our businesses, and any disruption can mean lost leads, frustrated customers, and, ultimately, lost revenue. By taking the lead in implementing the suggested measures, we can protect our businesses from the threat of NXDOMAIN attacks.

One insidious threat lurking online is the NXDOMAIN attack, also known as a DNS Water Torture attack. This is one of the Distributed Denial-of-Service (DDoS) adversaries that explicitly targets the Domain Name System (DNS), the internet’s phonebook that translates website names into IP addresses. Imagine a relentless drip, slowly eroding the foundation of your customer experience. That’s what an NXDOMAIN attack does to your DNS infrastructure.

An NXDOMAIN attack, also known as a DNS Water Torture attack, is a type of Distributed Denial-of-Service (DDoS) attack that targets the Domain Name System (DNS). Here’s a deeper dive into how it works:

A DNS Water Torture attack is a Distributed Denial-of-Service (DDoS) attack that aims to overwhelm a Domain Name System (DNS) server with massive requests for non-existent domains. Here’s a breakdown of how it works:

  • Target: DNS servers are crucial for translating website names into IP addresses.
  • Method: The attacker bombards the server with queries for nonsensical domain names, like “[invalid URL removed]”. These requests are crafted never to be cached by the server, forcing it to perform extra work for each query.
  • Impact: The flood of junk requests consumes the server’s resources, making it slow or unresponsive to legitimate requests for real websites. This disrupts user access to websites and online services.

The Name: The name “Water Torture” refers to the relentless nature of the attack, similar to how water dripping for a long time can wear down a person’s mental state.

Here’s some additional information you might find helpful:

  • This type of attack is also known as an NXDOMAIN attack, referring to the error message (“Non-existent Domain”) the server responds with for these invalid requests.
  • Attackers often use botnets and compromised computer networks to generate massive attack traffic.
  • Mitigating a DNS Water Torture attack involves filtering out suspicious queries and using distributed DNS architectures to spread the load.

Goal: To disrupt user access to websites and online services by overloading DNS servers.

Method: Attackers flood the DNS server with massive requests for non-existent domain names. These can be random combinations of letters or subdomains of the targeted website.


  • Resource drain: The server wastes resources to find these non-existent domains, slowing down or stopping responses to legitimate requests.
  • Cache pollution: If the attack injects invalid data into the server’s cache, it can further hinder its ability to serve genuine requests.

How it works:

  1. Attacker sends requests: Millions of requests for non-existent domains are sent to the DNS server, typically from a network of compromised devices (botnet).
  2. The server queries the authoritative server: The bombarded server doesn’t have the information cached and tries to find the answer by querying the authoritative name server for the domain.
  3. The authoritative server responds with NXDOMAIN: The authoritative server confirms that the domain doesn’t exist, sending an “NXDOMAIN” (Non-existent Domain) response.
  4. Repeat: The attacker’s server keeps sending requests for different non-existent domains, forcing the cycle to repeat.

Real-world Example:

  • A famous NXDOMAIN attack 2016 targeted Dyn, a major DNS service provider. This attack disrupted users’ access to popular websites like Twitter, Netflix, and Reddit, leading to significant financial losses and reputational damage for these companies.

Defences against NXDOMAIN attacks:

  • Rate limiting: Limiting the requests a single source can send to the server.
  • Filtering: Identifying and filtering out suspicious traffic patterns.
  • DNS caching: Implementing efficient caching mechanisms to reduce reliance on authoritative name servers for typical requests.
  • Redundancy: Distributing DNS queries across multiple servers to prevent a single point of failure.

By implementing these measures, organisations can make their DNS infrastructure more resilient against NXDOMAIN attacks.

What is an NXDOMAIN Attack, and Why Should You Care?

An NXDOMAIN attack targets the Domain Name System (DNS), the internet’s phonebook that translates website names into IP addresses. Attackers bombard DNS servers with a flood of requests for non-existent domains. This seemingly innocuous act has a devastating impact.

  • Resource Drain: The DNS server, overwhelmed by the onslaught of junk requests, becomes bogged down. It wastes valuable resources trying to find these non-existent domains, leaving it unable to respond to legitimate requests from your customers. This translates into slow loading times or complete outages for your website, frustrating your customers and potentially leading to lost sales.
  • Reputational Damage: A website outage can severely damage your brand reputation. Customers who encounter error messages or slow loading times will likely associate your business with unprofessionalism or unreliability. This negative perception can be hard to shake off.

The financial implications of an NXDOMAIN attack can be significant. A study by the Ponemon Institute revealed that the average cost of such attacks can reach $1 million per hour. However, by investing in measures to protect your DNS infrastructure, you can significantly minimise the risk and potential impact of such attacks, saving your company millions of dollars in possible losses. Considering the potential for lost sales and brand damage, the ROI for fortifying your defences against NXDOMAIN attacks becomes abundantly clear.

Protecting Your Business from the Drip, Drip, Drip

As CEOs, you have the power and responsibility to mitigate the risk of NXDOMAIN attacks. Fortunately, there are measures you can take to safeguard your business:

  • Rate Limiting: Implement measures limiting requests a single source can send to your DNS server. This helps to identify and throttle suspicious traffic patterns before they overwhelm the system.
  • DNS Security Measures: Invest in security solutions to identify and filter out NXDOMAIN attack traffic. These tools can act as a shield, deflecting the barrage of junk requests before they reach your server.
  • DNS Redundancy: Don’t put all your eggs in one basket. Distribute your DNS queries across multiple servers. This way, if an attack targets one server, the others can continue to function, minimising downtime for your website.

By taking a proactive strategy for DNS security, you can safeguard your Internet-facing servers and ensure a seamless customer experience. This means not waiting for an attack but instead implementing the suggested measures to prevent potential damage. Remember, in today’s digital world, every second your website is down translates into lost opportunities. Don’t let an NXDOMAIN attack become the drip that erodes your bottom line.

Web Application Firewall to prevent DDoS

While Web Application Firewalls (WAFs) are a crucial security tool, they are not a silver bullet for preventing DDoS attacks. Here’s a breakdown of why and how WAFs can still be helpful in a DDoS mitigation strategy:

Limitations of WAFs for DDoS:

  • Focus: WAFs primarily focus on application-layer (Layer 7) attacks that target vulnerabilities in your web application (like SQL injection). On the other hand, DDoS attacks often overwhelm systems at the network layer (Layers 3 & 4) with sheer volume, bypassing the application layer altogether.

How WAFs can still help:

  • L7 DDoS Attacks: WAFs can be effective against specific DDoS attacks that target the application layer, such as HTTP floods or application-specific denial-of-service attacks. By identifying and blocking abnormal request patterns, WAFs can help mitigate these attacks.
  • Early Warning System: WAFs can act as an early warning system for DDoS attacks. They can detect sudden spikes in traffic volume or unusual request patterns, which can signify a DDoS attack in progress. This allows you to take timely action to mitigate the attack with other tools.
  • Rate Limiting: Many WAFs offer rate-limiting features. By limiting the number of requests an IP address can send within a specific timeframe, WAFs can help prevent individual attackers or botnets from overwhelming your resources.

Remember: WAFs are most effective when used in conjunction with other DDoS mitigation strategies, such as:

  • DDoS Protection Services: These specialised services can filter and absorb DDoS attack traffic before it reaches your servers.
  • Network Security Measures: Web Application Firewalls and intrusion detection systems at the network layer can help identify and block anomalous traffic patterns associated with DDoS attacks.

Here’s the key takeaway for CEOs:

  • WAFs are a valuable security tool but shouldn’t be your sole defence against DDoS attacks.
  • Invest in a layered security approach that combines WAFs with other DDoS mitigation strategies for comprehensive protection.
  • Early detection and rapid incident response are crucial for minimising the impact of a DDoS attack.

Fortifying your defences: Preventive Measures for DDoS Attacks

Distributed Denial-of-Service (DDoS) attacks pose a significant threat to businesses today. These attacks overwhelm your online infrastructure with traffic, making your website or service inaccessible to legitimate users. The consequences can be severe – lost sales, frustrated customers, and reputational damage.

To mitigate the security risks of DDoS attacks and ensure your business is running. Here’s a breakdown of key strategies:

1. Harden Your Infrastructure:

  • Patching and Updates: Ensure your servers, operating systems, and apps are up-to-date with the recommended fixes. These fixes often address vulnerabilities that attackers can exploit to launch DDoS attacks.
  • Unnecessary Services: Identify and turn off any unneeded services on your servers. This reduces the attack surface and makes it harder for adversaries to find vulnerabilities.
  • Strong Passwords: Enforce solid and unique passwords for all user accounts and administrative access points. This makes it more difficult for attackers to gain unauthorised access to your systems.

2. Enhance Network Resilience:

  • Rate Limiting: Implement rate-limiting measures to restrict the requests a single IP address can send to your servers within a specific timeframe. This can help prevent malicious actors from overwhelming your resources with traffic.
  • Traffic Filtering: Configure your network firewalls and security solutions to filter out suspicious traffic patterns often associated with DDoS attacks. This can include filtering based on source IP address, request type, and other parameters.
  • Redundancy: Don’t put all your eggs in one basket. Distribute your network resources and DNS queries across multiple servers. This redundancy ensures that if an attack targets one server, the others can continue functioning and minimising downtime.

3. Leverage DDoS Protection Services:

  • Security Specialists: Consider partnering with DDoS protection service providers. These companies offer specialised expertise and infrastructure to absorb and mitigate DDoS attacks before they reach your servers.
  • Penetration Testing as a Service: Hiring Penetration Testers to perform thorough Penetration Testing throughout the year for mission-critical, highly available infrastructure.
  • Always-On Monitoring: Many DDoS protection services offer 24/7 monitoring of your network traffic. This allows for proactive detection of suspicious activity and a faster response to potential attacks.

4. Plan and Prepare:

  • Incident Response Plan: Create a comprehensive incident response plan outlining the actionable steps to take in a DDoS attack. This plan should include roles and responsibilities for different teams, communication protocols, and procedures for restoring normal operations.
  • Employee Training: Educate your employees on the signs of DDoS attacks and best practices for cybersecurity. This can help them identify suspicious activity and report it promptly.

By implementing a multi-layered approach that combines these proactive steps, you can significantly minimise the risk of DDoS attacks and ensure the continued smooth operation of your online presence. Remember, prevention is always better than cure. A proactive approach to DDoS mitigation can save your business from costly downtime and reputational damage.

Leave a comment