There are two types of DNS Response DGA filters: NOERROR and NXDOMAIN.
- NOERROR filters detect a NOERROR DNS response. A NOERROR response to a DNS query means
that
the hostname that was queried exists and is well-formed.
Evaluate these filters individually to ensure that there are no performance impacts. You can safely deploy these filters with Permit + Notify + Trace enabled to examine each event and make an informed decision. If, after evaluation, you decide a filter is necessary, change the action set to Block without a trace.
- NXDOMAIN filters detect an NXDOMAIN DNS response. An NXDOMAIN response to a DNS
query means that the hostname that was queried does not exist.
NXDOMAIN filters are much less likely to have performance impacts or false positive concerns. Enable Trace so that you can identify the domain name that is being requested to determine if it is a DGA or a valid host. You can safely deploy these filters with Block + Notify + Trace enabled.