Set up security analytics

From the Security Analytics page, you can scan Edge DNS zones for the following threats:

  • Nonexistent domain (NXDOMAIN) spikes. Indicates there’s an increase in responses from DNS servers that cannot resolve a nonexistent domain. These spikes can signal a DNS resource exhaustion attack where an attacker attempts to flood DNS infrastructure. If you are using Shield NS53, you can also enable NXDOMAIN spike detection for a shield configuration. For more information, see NXDOMAIN spike detection.
  • Dangling canonical name (CNAME) records. Indicates CNAME records point to domains that do not exist. This can lead to subdomain takeover where an attacker redirects traffic. For more information, see Dangling CNAME detection.
  • Hijacked domains. Indicates domains resolve to answers that are not authoritatively defined for a zone or to domains are blocked and resolve to an NXDOMAIN. To carry out DNS hijacking, an attacker compromises the DNS resolution process, such as the public name server to redirect traffic, block access, steal information, and more. For more information, see DNS hijacking detection.
  • Related domains. Indicates there are domains that resemble or look like one of your domains. These domains can be fake domains that attackers use for phishing, brand impersonation, trademark infringement, and more. For more information, see Related domain detection.

If you enable the detection of these threats, the Security Analytics page shows the number of NXDOMAIN spikes, dangling CNAME records, hijacked domains, and related domains that are found in each of your zones. You can expand zone information to view when the zone was last scanned for NXDOMAIN spikes and dangling CNAME records.

The Security Analytics lets you download CSVs with specific information for a zone. You can:

  • View and download a CSV that contains dangling CNAME records that were detected.
  • View and download a CSV that contains NXDOMAIN spikes from the last 24 hours.
  • Generate and download a zone report or CSV that contains DNS records for a zone and the number of requests made to those domains.
  • Download a CSV that contains a list of zones and if enabled, counts for NXDOMAIN spikes, dangling CNAMES, related domains, and hijacked domains.

You can open these reports to view more data about DNS traffic, NXDOMAINs, and more in your zones:

  • Infrastructure Security Analytics - Security Summary

  • Infrastructure Security Analytics - Edge DNS Summary

  • Infrastructure Security Analytics - Edge DNS Zone Details

  • Infrastructure Security Analytics - NXDOMAIN Spike Details

For more information on these reports, see Infrastructure Security Analytics reports.