Fast, accurate data on DNS errors for cyber security teams

The Security Challenge

Fast access to accurate data about DNS errors

Every day, hundreds of billions of Domain Name System (DNS) queries are made as Internet users visit websites. While most queries are successful and return the requested answer, sometimes the DNS request results in a “non-zero” error code, signaling that the specific domain name cannot be resolved successfully.

Suspicious activity is often a factor for these errors, and may indicate brand infringement, misuse of domains to enable malware campaigns or botnet activity. Security teams need fast access to accurate data about DNS errors so they can understand and investigate the reasons for domain names not resolving successfully.

The Farsight Solution


offers two channels in the SIE platform to help identify the cause of certain types of errors that prevent successful resolution of domain names: DNS Errors (Channel 220) and NXDOMAINS (Channel 221).

The DNS Errors channel provides:

  • Visibility into global SERVFAIL and REFUSED messages that are otherwise difficult to obtain for monitoring name servers. Network managers can determine when the name servers under their responsibility are causing problems in real-time.
  • The ability for security analysts to monitor for indications that DNS response policy zones (RPZ) or other “DNS firewall” technologies are in selective use; since those methods normally result in error conditions being returned locally for names that are actually currently defined.

The NXDOMAINS channel provides:

  • The ability to empirically characterize user mistakes and identify potentially valuable brand protection opportunities with similar domain names.
  • Identification of unregistered Web Proxy Autodiscovery (WPAD) Protocol servers for security teams to address.
“Farsight’s error channels enable valuable dumpster-diving for intelligence on my domains.”

Information Security Manager
National Financial Institution

DNS Errors and NXDOMAINS channels capabilities:

Operational Monitoring

Operational Monitoring

An easy way to monitor domain names for unexpected errors - including those due to authoritative name server problems.

Brand Protection

Brand Protection

Brand infringement campaigns often begin with DNS reconnaissance with malicious actors probing for unregistered domain names similar to those of targeted brands. Watching NXDOMAIN traffic is a simple way to detect the emergence of these campaigns.

Detection of Botnets

Detection of Botnets and Domain Generation Algorithms (DGAs)

Botmasters have avoided takedowns by coding and deploying DGAs. Through this approach, botnet‑infected systems will attempt and fail to resolve a large number of random-appearing domain names. The DNS Errors and NXDOMAINS channels give threat analysts and security researchers visibility into DGA‑related DNS traffic.

Domain protection

Domain Protection

Security-conscious organizations often register commonly misspelled variations of their domain names to prevent cybercriminals from registering those domains and employing them in malware campaigns. The NXDOMAINS channel delivers a real-time view of misspelled variations of domain names so organizations can move quickly to register them before malicious actors do.