Adversaries may use excessive NXDOMAIN DNS queries to exfiltrate data or probe network defenses, leveraging DNS as a covert communication channel. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or reconnaissance activities early.
KQL Query
let threshold = 200;
_Im_Dns(responsecodename='NXDOMAIN')
| where isnotempty(DnsResponseCodeName)
//| where DnsResponseCodeName =~ "NXDOMAIN"
| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
| where count_ > threshold
| join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')
) on SrcIpAddr
id: c3b11fb2-9201-4844-b7b9-6b7bf6d9b851
name: Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
description: |
'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
severity: Medium
requiredDataConnectors:
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: InfobloxNIOS
dataTypes:
- Syslog
- connectorId: GCPDNSDataConnector
dataTypes:
- GCP_DNS_CL
- connectorId: NXLogDnsLogs
dataTypes:
- NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_dns_CL
- connectorId: Corelight
dataTypes:
- Corelight_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
relevantTechniques:
- T1568
- T1008
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/InfobloxNIOS/ExcessiveNXDOMAINDNSQueries.yaml
version: 1.0.0
- Schema: ASIMDns
SchemaVersion: 0.1.1
query: |
let threshold = 200;
_Im_Dns(responsecodename='NXDOMAIN')
| where isnotempty(DnsResponseCodeName)
//| where DnsResponseCodeName =~ "NXDOMAIN"
| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
| where count_ > threshold
| join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')
) on SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.3.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Yaron
support:
tier: Community
categories:
domains: [ "Security - Network" ]Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorith
Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thre
Scenario: Scheduled DNS Health Check Job
Description: A scheduled job runs periodically to check DNS resolution for internal domains, which may result in NXDOMAIN responses if the domain does not exist.
Filter/Exclusion: Exclude DNS queries originating from known health check tools (e.g., nslookup, dig, or specific IP ranges used by internal monitoring systems).
Scenario: User Testing New Application with Invalid Domains
Description: A developer is testing a new application that dynamically generates domain names for testing purposes, which may not resolve.
Filter/Exclusion: Exclude DNS queries from user accounts with elevated privileges or from specific development environments (e.g., dev-vm-01, test-02).
Scenario: DNS Server Misconfiguration or Cache Invalidation
Description: A DNS server may temporarily return NXDOMAIN responses during cache invalidation or configuration changes.
Filter/Exclusion: Exclude DNS queries from internal DNS servers (e.g., dns-server-01, dns-server-02) or during specific time windows when configuration changes are expected.
Scenario: Automated Security Tool Scanning for Vulnerabilities
Description: A security tool like Nessus or OpenVAS may perform DNS lookups for known vulnerable domains as part of its scanning process.
Filter/Exclusion: Exclude DNS queries from known security scanning tools or IP ranges associated with such tools (e.g., 192.168.1.100, 10.0.0.50).
Scenario: User Mistyping URLs or Using Incorrect Domain Names
Description: A user may frequently mistype URLs or use incorrect domain names, leading to NXDOMAIN responses.
Filter/Exclusion: Exclude DNS queries from user accounts with high activity in the last