This alert detects when a high number of NXDOMAIN response code is returned as a result of DNS queries made. NXDOMAIN response code indicates that the queried domain is non-existent. Impact A high number of NXDOMAIN responses by DNS servers is can be an indication of a DGA (Domain Generation Algorithms) activity. Mitigation Investigate the source hosts involved in querying the domains which resulted in a high number of NXDOMAIN responses. Please see the below link for more detail: https://bluecatnetworks.com/blog/what-you-can-learn-from-an-nxdomain-response/ Mitre Tactic: TA0011 Mitre Technique: T1071 Mitre Sub-Technique: 004

This alert detects when a high number of DNS queries are seen from a host with uncommon record types such as TXT, PTR, and NULL. TXT: Indicates a Text record. These records are often used for email security. PTR: Provides a domain name in reverse-lookups. NULL: Indicates a null resource record. Impact Threat actors may utilize less common record types for their C2 channels to support different commands or functions. For example, a C2 channel may utilize TXT requests to retrieve additional information, malware, or commands to execute. Mitigation Investigate the hosts querying the domains with a high number of these uncommon record types. Mitre Tactic: TA0011 Mitre Technique: T1071 Mitre Sub-Technique: 004

This alert detects when a DNS query is transmitted over TCP protocol rather than UDP protocol. Impact DNS requests over TCP are usually used for either DNS zone transfer or for transferring large quantities of data using the DNS protocol. Both can be an indication of malicious activity. Mitigation Investigate the source hosts involved in those queries by using audit logs from these machines as this activity could be an indication of data exfiltration. Please see the below link for more detail: https://www.akamai.com/blog/news/introduction-to-dns-data-exfiltration Mitre Tactic: TA0010 Mitre Technique: T1048

This alert detects when a high number of REFUSED response code is returned as a result of DNS queries made. REFUSED response code indicates that the DNS query failed because the server refused to answer the query. This could be due to policy reasons. Impact A high number of REFUSED responses by DNS servers could be due to policy reasons. For example, a particular device may be blocked if it is abusing the nameserver, or a particular operation, such as a zone transfer, might be forbidden. A zone transfer is a way of replicating DNS configuration information across multiple DNS servers for load balancing or backup. Usually, only an authorized person can complete a zone transfer. If a user tries to initiate one but they're not authorized, then this would be the response code they would get. Mitigation Investigate the source hosts involved in querying the domains which resulted in a high number of REFUSED responses. Please see the below link for more detail: https://bluecatnetworks.com/blog/what-you-can-learn-from-an-nxdomain-response/ Mitre Tactic: TA0011 Mitre Technique: T1071 Mitre Sub-Technique: 004

This alert detects when a high number of SERVFAIL response code is returned as a result of DNS queries made. SERVFAIL response code is an indication of Server failure. This could be due to that there is a technical problem with the DNS servers. Impact A high number of SERVFAIL responses by DNS servers could indicate that security control on your network, such as a firewall or intrusion prevention system, is blocking a user from going to that domain. Much like NXDOMAIN, excessive SERVFAIL responses should be investigated for malicious activities. Mitigation Investigate the source hosts involved in querying the domains which resulted in a high number of SERVFAIL responses. Please see the below link for more detail: https://bluecatnetworks.com/blog/what-you-can-learn-from-an-nxdomain-response/ https://blog.cloudflare.com/unwrap-the-servfail/ Mitre Tactic: TA0011 Mitre Technique: T1071 Mitre Sub-Technique: 004