Breadcrumbs

Phantom Domains attack protection in NIOS (3614)

Scenario

Your organization wants to protect recursive DNS servers from phantom domain attacks. These attacks rely on non‑responsive or malicious authoritative servers to degrade DNS performance and exhaust resolver resources. In this lab, you will configure Grid‑level DNS security settings that detect and mitigate non‑responsive server behavior.

Estimate Completion Time

  • 20 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Requirements

  • Administrative DNS access to the Grid

  • Which networks can perform DNS queries (connect on port 53)

Learning Content

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

image-20231130-134540.png

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab
Launch Lab

Choose the lab number from the list and click OK.

image-20231122-140156.png

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

image-20231122-140739.png

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png


Tasks

Task 1: Adding Phantom Domain protection

Enable the appropriate DNS security settings to protect the Grid against phantom domain attacks.


Solutions

Task 1 Solution: Adding Phantom Domain protection

  1. In the Grid Manager, Navigate to Data Management → DNS.

  2. From the Toolbar, click Grid DNS Properties.

  3. In the Grid DNS Properties window:

    1. Click Toggle Advanced Mode (if not already enabled).

    2. Select Security from the left-hand navigation panel.

  4. Locate the NON‑RESPONSIVE SERVERS section. This section contains the DNS security controls used to mitigate phantom domain attacks.

  5. Review the available options and enable the appropriate settings based on the guidance below. Click Save & Close when done.

    2026-06-04_16-53-10.png

Non-Responsive Servers Options Explained

The following three options protect recursive DNS servers from being overwhelmed by non‑responsive or malicious authoritative servers. All options are disabled by default.

  • Enable holddown for non-responsive servers: The most conservative and recommended option for this protecting against phantom domains. When enabled, the recursive DNS server temporarily stops sending queries to upstream servers that fail to respond, placing them into a holddown state for a defined period. This limits the effectiveness of phantom domain attacks without significantly impacting legitimate traffic.

  • Limit recursive queries per server: This option restricts the number of queries sent to an individual upstream server. If the limit is exceeded, the DNS server returns SERVFAIL responses to clients. While effective, this option should only be enabled after collecting traffic statistics to establish baseline values, as overly restrictive limits may impact valid client queries.

  • Limit recursive queries per zone: This option limits the number of recursive queries sent to a specific domain or zone. When the threshold is exceeded, additional queries result in SERVFAIL responses. As with per‑server limits, baseline analysis is recommended before enabling this option to avoid unintended disruption to legitimate DNS traffic.

Baseline Analysis Required
The limit recursive queries per server and per zone settings require baseline DNS traffic analysis. Enabling these options without understanding normal query volumes can block legitimate traffic and trigger widespread SERVFAIL responses.