Guide

NXDOMAIN spike detection

Suggest Edits

NXDOMAIN spike detection lets you monitor your zone for an increase in responses from DNS servers that are unable to resolve a domain. These spikes may signal a denial-of-service attack or a resource exhaustion attack where an attacker attempts to overwhelm your organization’s DNS infrastructure.

When you enable NXDOMAIN spike detection, you configure a threshold that must be breached before an NXDOMAIN spike is tracked. You can configure a dynamic threshold or an absolute threshold.

  • A dynamic threshold is the z-score or standard score for the number of NXDOMAINs that need to be detected before traffic is considered part of an NXDOMAIN spike.
  • The absolute threshold is the number of responses per second from NXDOMAINs before traffic is considered part of an NXDOMAIN spike.

You can configure the dynamic and absolute thresholds for multiple zones or you can configure dynamic and absolute thresholds to a specific zone.

You can also have administrators receive email alert notifications for detected NXDOMAIN spikes.

Enable and configure NXDOMAIN spike detection

Complete this procedure to enable NXDOMAIN spike detection.

📘

If you configured default NXDOMAIN spike thresholds, the threshold settings you set with this procedure take precedence over the default settings.

To enable NXDOMAIN spike detection:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. If you are enabling NXDOMAIN spike detection in a zone, complete these steps:
    1. Go to the zone where you want to enable NXDOMAIN spike detection. If you need to apply a filter to find a zone, see Filter list of zones.
    2. From the Actions menu, select Zone Settings.
    3. In the window that appears, click the NXDOMAIN Spikes tab.
  4. If you are enabling NXDOMAIN spike detection for a shield, complete these steps:
    1. Go to the shield configuration for which you want to enable NXDOMAIN spike detection.
    2. From the Actions menu, select Shield Settings.
    3. In the window that appears, click the NXDOMAIN Spikes tab.
  5. Enable the toggle for NXDOMAIN Spike Detection.
  6. In the Threshold Type menu, select whether you want to apply a dynamic or absolute threshold. Based on the threshold type you select, do one of the following:
    • In the Dynamic Threshold field, enter a z-score or standard score value that must be met for traffic to be considered part of an NXDOMAIN spike.
    • In the Absolute Threshold field, enter a value for NXDOMAIN responses per second.
  7. If you want administrators to receive email alerts for NXDOMAIN spikes, do the following:
    1. In the General tab, enter email addresses in the Alerting Emails field.
    2. In the NXDOMAIN Spikes tab, enable NXDOMAIN Spike Alerting.
  8. Click Confirm.

Configure the default NXDOMAIN spike thresholds for multiple zones

The default NXDOMAIN spike thresholds apply to zones and shield configurations where a spike threshold is not configured.

If NXDOMAIN spike thresholds are already set for a specific zone or shield, those thresholds take precedence over the default settings. For more information, see Enable and configure NXDOMAIN spike detection.

To configure NXDOMAIN spike threshold to a zone:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. At the top of the page, click Settings.
  4. In the window that appears, configure the default dynamic threshold and the default absolute threshold for a zone. If your organization is using Shield NS53, you can also configure these thresholds for a shield configuration.
    1. For a zone, In the Default Zone Dynamic Threshold field, enter a z-score or standard score value that must be met for zone traffic to be considered part of an NXDOMAIN spike.
    2. For a zone, in the Default Zone Absolute Threshold field, enter a value for NXDOMAIN responses per second.
    3. For a shield, in the Default Shield Dynamic Threshold field, enter a z-score or standard score value that must be met for traffic to be considered part of an NXDOMAIN spike.
    4. For a shield, In the Default Shield Absolute Threshold field, enter a value for NXDOMAIN responses per second.
  5. Click Confirm.

Download CSV with data on NXDOMAIN spikes

Complete this procedure to download a list of NXDOMAIN spikes that occurred for a zone within the last 24 hours.

To download a CSV with NXDOMAIN spikes:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. To download a CSV with NXDOMAIN spikes that occurred in a zone:
    1. In the Zone tab, go to a zone where NXDOMAIN spikes were detected. If you need to filter the list of zones, see Filter list of zones. You can also sort the list in the table to view the zones that have NXDOMAIN spike detection enabled.
    2. If NXDOMAIN spikes were found in the last 24 hours, a View button is visible in the NXDOMAIN Spike Detection column of the table. Click View. You can also go to the Actions menu and select NXDOMAIN Spikes.
      A window that details scan results appears. You can see the total number of requests and the number of requests that contained NXDOMAINs.
  4. To view data on NXDOMAIN spikes for a shield:
    1. In the Shields tab, go to the shield where NXDOMAIN spikes were detected.
    2. If NXDOMAIN spikes were found in the last 24 hours, a View button is visible in the NXDOMAIN Spike Detection column of the table. Click View. You can also go to the Actions menu and select NXDOMAIN Spikes.
      A window that details scan results appears. You can see the total number of requests and the number of requests that contained NXDOMAINs.
  5. Click the download icon to download this list in a CSV file.

Next Steps:

To review and investigate data on the Security Analytics page, see View and investigate NXDOMAIN spikes.

View and investigate NXDOMAIN spikes

If an NXDOMAIN spike was detected in the last 24 hours, you can view and investigate these spikes from the Security Analytics page. To download a CSV that contains NXDOMAIN spike data, see Download CSV with data on NXDOMAIN spikes.

To view data on NXDOMAIN spikes:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS.
  2. Click Security analytics at the top of the page.
  3. To view data on NXDOMAIN spikes for a zone:
    1. In the Zone tab, go to a zone where NXDOMAIN spikes were detected. If you need to filter the list of zones, see Filter list of zones. You can also sort the list in the table to view the zones that have NXDOMAIN spike detection enabled.
    2. If NXDOMAIN spikes were found in the last 24 hours, a View button is visible in the NXDOMAIN Spike Detection column of the table. Click View. You can also go to the Actions menu and select NXDOMAIN Spikes.
      A window that details scan results appears. You can see the total number of requests and the number of requests that contained NXDOMAINs.
  4. To view data on NXDOMAIN spikes for a shield:
    1. In the Shields tab, go to the shield where NXDOMAIN spikes were detected.
    2. If NXDOMAINs were found in the last 24 hours, a View button is visible in the NXDOMAIN Spike Detection column of the table. Click View. You can also go to the Actions menu and select NXDOMAIN Spikes.
      A window that details scan results appears. You can see the total number of requests and the number of these requests that contained NXDOMAINs.
  5. Expand a scan to view more details about the spike including the threshold that was exceeded and the number of average NXDOMAINs per second. You can click Investigate to view more data in a report. For an NXDOMAIN spike in a zone, you are directed to the Infrastructure Security Analytics - NXDOMAIN Spike Details report. For an NXDOMAIN spike that occurred for a shield, you are directed to the Shield NS53 Proxy Queries report.

View date and time of last NXDOMAIN spike scan

Complete this procedure to view the date of the last NXDOMAIN spike scan.

To view date and time of last NXDOMAIN spikes:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS.
  2. Click Security analytics at the top of the page.
  3. Click the Zones or Shields tab to view data on zones or shields.
  4. Sort results to show the zones or shields that have NXDOMAINs spike detection enabled.
  5. Expand the zone or shield to see the date and time when the NXDOMAIN scan was completed. The page also indicates how long the last scan is current until another scan is run.

Updated 11 days ago