Established in 2017, Open Waters Limited is a London based Domain Name and Traffic Intelligence company owned by PTL (Premium Traffic Limited)

NX Domain Intelligence

A NXDOMAIN is Non-Existent Domain. It is a term used for the Internet domain name that is unable to be resolved using the DNS servers or domain name not yet registered. NXDOMAIN can also take place due to the network or DNS server problem.

If domain name does not exists the resolving name server should return NXDOMAIN status. For example, thisdomaindoesnotexist-checkit.com does not exist, so any query sent to my ISP resolving name server should return NXDOMAIN. The following example should work on UNIX / Linux and Mac OS X command line option:

host thisdomaindoesnotexist-checkit.com

Sample Output:

host thisdomaindoesnotexist-checkit.com not found: 3(NXDOMAIN)

Modern botnets rely on domain generation algorithms (DGAs) for establishing a connection with their command & control (C2) server instead of using fixed domain names or fixed IP addresses. According to DGArchive, to date more than 72 different DGAs are known and the number is expected to further increase as DGAs significantly improve a botnet’s resistance against takedown. A DGA generates a set of malicious algorithmically-generated domains (mAGDs) serving as potential rendezvous domains with a C2 server. The bots subsequently query the domain name system (DNS) for the IP addresses of these domains. The amount of domains generated per day varies between 1 and 10,000 depending on the DGA. The botmaster registers a few of these mAGDs. If these are queried by the bots, the bots obtain a valid IP address for their C2 server. All of the many other queries of the bots will result in nonexistent domain (NXD) responses.  

In the past, monitoring DNS traffic (successfully resolving and/or non-resolving) has been used as primary or additional source of information in detecting malicious activity in a network. Some of these approaches have concentrated on identifying C2 servers, others have focused on identifying infected devices or detecting malicious domains in general. These prior approaches, however, all require the correlation of information extracted from groups of DNS queries and/or responses and thus typically require extensive tracking. In addition, many of these prior approaches are based on clustering, which involves manual labelling of the identified clusters. While these prior works show promising detection capabilities, little information on the efficiency of the detection process in terms of time and memory requirements is reported.