NXDOMAIN is the return code when a DNS lookup fails to resolve the requested domain to an IP address. This can happen for many reasons. Usually, it is just a user mistyping an address– google.xom. However, if you search your logs for NXDOMAIN, and look at the domains for which DNS lookups failed, you may be surprised at what you find.
One interesting thing that may come up are requests to various random-looking “.onion” domains. Dot onion is not a valid, routable top-level domain, but it is used by Tor clients to route requests onto the Tor network. Seeing these requests in your DNS data indicates that a device either has a Tor client installed, or that there is some malicious software on a device that is trying to find a Tor entry point.
Either case calls for action, and locating the IP address associated with the “.onion” requests can help you track down the device in question. Search on the IP address, and in the first few records returned, you are likely to find a successful login event from Active Directory logs. This will give you the user of the implicated machine. Once you’ve located the device, it would be wise to do a full malware scan on it.
Securolytics will automatically scan DNS records for suspicious domain requests. Keep malware off your network, and keep your data safe with Securoltyics.