DGA Confirmed — NXDOMAIN Flood with High-Entropy Domain Pattern
12 DNS NXDOMAIN DGA Flood
Query
// Signal 1: High NXDOMAIN volume with high failure rate
let NxdomainClients =
ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| summarize
TotalQueries = count(),
NxdomainCount = countif(DnsResponseCodeName =~ "NXDOMAIN" or DnsResponseCode == 3),
UniqueDomains = dcount(DnsQuery),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SrcIpAddr, SrcHostname
| where NxdomainCount > 200
| extend NxdomainRate = round(todouble(NxdomainCount) / todouble(TotalQueries) * 100.0, 1)
| where NxdomainRate > 40;
// Signal 2: The failed domains exhibit DGA-typical consonant ratio + digits
let DgaEntropyClients =
ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| where DnsResponseCodeName =~ "NXDOMAIN" or DnsResponseCode == 3
| extend SLD = tostring(split(DnsQuery, ".")[-2])
| where strlen(SLD) between (10 .. 40)
| extend
ConsonantCount = countof(SLD, "b") + countof(SLD, "c") + countof(SLD, "d")
+ countof(SLD, "f") + countof(SLD, "g") + countof(SLD, "h")
+ countof(SLD, "j") + countof(SLD, "k") + countof(SLD, "l")
+ countof(SLD, "m") + countof(SLD, "n") + countof(SLD, "p")
+ countof(SLD, "q") + countof(SLD, "r") + countof(SLD, "s")
+ countof(SLD, "t") + countof(SLD, "v") + countof(SLD, "w")
+ countof(SLD, "x") + countof(SLD, "y") + countof(SLD, "z"),
HasDigits = SLD matches regex @"\d"
| extend ConsonantRatio = todouble(ConsonantCount) / todouble(strlen(SLD))
| where ConsonantRatio > 0.65 and HasDigits == true
| summarize
DgaLikeDomains = dcount(DnsQuery),
SampleDomains = make_set(DnsQuery, 15)
by SrcIpAddr, SrcHostname
| where DgaLikeDomains > 5;
// Both signals must match the same client — high confidence DGA
NxdomainClients
| join kind=inner DgaEntropyClients on SrcIpAddr
| project
SrcIpAddr,
SrcHostname,
NxdomainCount,
NxdomainRate,
UniqueDomains,
DgaLikeDomains,
SampleDomains,
FirstSeen,
LastSeenExplanation
This query is designed to detect high-confidence Domain Generation Algorithm (DGA) activity by combining two specific signals. Here's a simplified breakdown:
-
Purpose: The query aims to identify potential DGA-related malicious activity by analyzing DNS query patterns that are typical of malware using DGAs.
-
Signals Used:
- NXDOMAIN Volume: It checks for clients that receive more than 200 NXDOMAIN (non-existent domain) responses within an hour, with a failure rate exceeding 40%. This indicates a high volume of failed DNS queries.
- Domain Entropy: It looks for failed domains that have a high consonant ratio (over 65%) and contain digits, which are characteristics of pseudo-randomly generated domains typical of DGA.
-
Detection Criteria: A client must meet both conditions (high NXDOMAIN volume and DGA-like domain patterns) to trigger an alert. This dual-condition approach reduces false positives compared to using either signal alone.
-
Malware Families: The rule is particularly relevant for detecting malware families known to use DGAs, such as Emotet, QakBot, Dridex, TrickBot, and others.
-
Alerting: When both conditions are met, an alert is generated with details about the source IP, hostname, number of NXDOMAIN responses, failure rate, and sample domains.
-
Operational Details:
- The query runs every hour and checks data from the past hour.
- It uses data from Windows DNS logs.
- The alert severity is set to high due to the strong indication of malicious activity.
-
Recommendations: Disable other built-in alerts that check only for high NXDOMAIN volume or failure rate alone to avoid duplicate alerts, as this rule provides a more comprehensive detection method.
Overall, this query is a sophisticated method to detect potential DGA-based attacks by analyzing DNS query patterns and characteristics.
Details

David Alonso
Released: March 26, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 1h
Period: 1h