---
title: Anomalous volume of NXDomain DNS responses from a single source IP
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Anomalous volume of NXDomain DNS
  responses from a single source IP
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Anomalous volume of NXDomain DNS responses from a single source IP

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0011-command-and-control](https://attack.mitre.org/tactics/TA0011)Technique:[T1568-dynamic-resolution](https://attack.mitre.org/techniques/T1568) 
## Goal{% #goal %}

Detects an anomalous volume of `NXDOMAIN` DNS responses returned to a single source IP.

## Strategy{% #strategy %}

This rule monitors OCSF DNS Activity events where `@ocsf.class_uid` is `4003` and the response code `@ocsf.rcode_id` is `3` (`NXDOMAIN`), grouped by `@ocsf.src_endpoint.ip`. A spike of resolution failures from one host is a hallmark of domain generation algorithms (DGAs), where malware iterates through pseudo-random candidate domains until it reaches a live C2 endpoint.

## Triage and response{% #triage-and-response %}

- Examine the hostnames queried by `{{@ocsf.src_endpoint.ip}}` and determine whether they share a DGA-like pattern (random character distribution, identical length, shared TLD).
- Identify the process or workload on `{{@ocsf.src_endpoint.ip}}` driving the requests and verify it has a legitimate reason to be resolving the observed domains.
- Determine if endpoint detection products on the host reported related execution, persistence, or beaconing activity around the same time.
