Dial "N" for NXDomain: The Scale, Origin, and Security Implications of DNS Queries to Non-Existent Domains

Authors

Gunnan Liu, Colorado School of Mines
Lin Jin, University of Delaware
Shuai Hao, Old Dominion UniversityFollow
Yubao Zhang, University of Delaware
Daiping Liu, University of Delaware
Angelos Stavrou, Virginia Polytechnic Institute and State University
Haining Wang, Virginia Polytechnic Institute and State University

Document Type

Conference Paper

Publication Date

2023

DOI

10.1145/3618257.3624805

Publication Title

Proceedings of the 2023 ACM on Internet Measurement Conference

Pages

198-212

Conference Name

ICM '23: ACM Internet Measurement Conference, October 24-26, 2023, Montreal, Quebec, Canada

Abstract

Non-Existent Domain (NXDomain) is one type of the Domain Name System (DNS) error responses, indicating that the queried domain name does not exist and cannot be resolved. Unfortunately, little research has focused on understanding why and how NXDomain responses are generated, utilized, and exploited. In this paper, we conduct the first comprehensive and systematic study on NXDomain by investigating its scale, origin, and security implications. Utilizing a large-scale passive DNS database, we identify 146,363,745,785 NXDomains queried by DNS users between 2014 and 2022. Within these 146 billion NXDomains, 91 million of them hold historic WHOIS records, of which 5.3 million are identified as malicious domains including about 2.4 million blocklisted domains, 2.8 million DGA (Domain Generation Algorithms) based domains, and 90 thousand squatting domains targeting popular domains. To gain more insights into the usage patterns and security risks of NXDomains, we register 19 carefully selected NXDomains in the DNS database, each of which received more than ten thousand DNS queries per month. We then deploy a honeypot for our registered domains and collect 5,925,311 incoming queries for 6 months, from which we discover that 5,186,858 and 505,238 queries are generated from automated processes and web crawlers, respectively. Finally, we perform extensive traffic analysis on our collected data and reveal that NXDomains can be misused for various purposes, including botnet takeover, malicious file injection, and residue trust exploitation.

Rights

© 2023 the Owner/Authors.

This work is licensed under a Creative Commons Attribution 4.0 International License.

Original Publication Citation

Liu, G., Jin, L., Hao, S., Zhang, Y., Liu, D., Stavrou, A., & Wang, H. (2023). Dial "N" for NXDomain: The scale, origin, and security implications of DNS queries to non-existent domains. In Proceedings of the 2023 ACM on Internet Measurement Conference (pp. 198-212). Association for Computing Machinery. https://doi.org/10.1145/3618257.3624805

Repository Citation

Liu, G., Jin, L., Hao, S., Zhang, Y., Liu, D., Stavrou, A., & Wang, H. (2023). Dial "N" for NXDomain: The scale, origin, and security implications of DNS queries to non-existent domains. In Proceedings of the 2023 ACM on Internet Measurement Conference (pp. 198-212). Association for Computing Machinery. https://doi.org/10.1145/3618257.3624805

ORCID

0000-0001-7483-5252 (Hao)