# NXDomain Counts

DNS Response Code 3 (RCode) indicates "Domain name does not exist".  As the name suggests, this is present when a host will attempt to resolve a Domain name address that does not exist.  This may be an indicator that a host is using DGA.

## Hypothesis:
Clusters of users within the same department (e.g. Account) will tend to have a similar NXDomain response code count for a period of time.  If a user is generating an abnormal amount of NXDomain response codes, this is a potential indicator of compromise. 

## Datasets:





In [1]:
import os
import pandas as pd
import numpy as np

In [70]:
dns_df = pd.read_csv('./dataset/dns.log', delimiter='\t', skiprows=[0,1,2,3,4,6,7], skipfooter=1, engine='python')
dns_df.columns = ['ts', 'uid', 'id.orig_h', 'id.resp_h', 'id.resp_p', 'proto', 'trans_id', 'query', 'qclass', 'qclass_name', 'qtype', 'qtype_name', 'rcode', 'rcode_name', 'AA', 'TC', 'RD', 'RA', 'Z', 'answersTTLS', 'rejected', 'not_req', 'not_req2']

dns_df['ts'] = pd.to_datetime(dns_df['ts'], unit='s')
dns_df['ts'] = dns_df['ts'].dt.date

dns_df = dns_df[['ts', 'id.orig_h', 'AA']]
dns_df.columns = ['date', 'srcip', 'response']


In [128]:
# Create Response Summary
uniqueHosts = set(dns_df['srcip'].values.tolist())

summary_df = pd.DataFrame()
temp_df = pd.DataFrame()

for ip in uniqueHosts:
    temp_df = dns_df[dns_df['srcip'] == ip]
    temp_df = temp_df['response'].value_counts().to_frame().transpose()
    temp_df['date'] = date
    temp_df['srcip'] = ip

    summary_df = pd.concat([temp_df, summary_df], sort=False)

# Standardise dataframe
summary_df = summary_df.fillna(0)
summary_df.reset_index(inplace=True)
summary_df = summary_df[['date', 'srcip', '-', 'NXDOMAIN', 'NOERROR', 'NXRRSet', 'REFUSED', 'NOTAUTH', 'NOTIMP', 'FORMERR', 'SERVFAIL','YXRRSET','YXDOMAIN','NOTZONE']]


Unnamed: 0,date,srcip,-,NXDOMAIN,NOERROR,NXRRSet,REFUSED,NOTAUTH,NOTIMP,FORMERR,SERVFAIL,YXRRSET,YXDOMAIN,NOTZONE,total
0,2012-03-17,fe80::11a:f507:d853:a03d,3097.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
1,2012-03-17,fe80::3e07:54ff:fe41:3ed3,82.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
2,2012-03-17,192.168.202.91,1288.0,12.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,13.0
3,2012-03-17,192.168.23.252,0.0,0.0,0.0,6.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,6.0
4,2012-03-17,192.168.202.64,71.0,630.0,21.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,651.0
5,2012-03-17,2001:dbb:c18:202:71f3:e219:3f6a:4311,7.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
6,2012-03-17,fe80::ba8d:12ff:fe53:a8d8,252.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
7,2012-03-17,192.168.202.79,5271.0,4711.0,585.0,0.0,6.0,4.0,3.0,0.0,0.0,0.0,0.0,0.0,5309.0
8,2012-03-17,192.168.229.156,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0
9,2012-03-17,192.168.202.156,0.0,4.0,3.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,7.0


In [134]:
# Calculate proportion of NXDomain lookups
summary_df['total'] = summary_df['-'] + summary_df['NXDOMAIN'] + summary_df['NOERROR'] + summary_df['NXRRSet'] + summary_df['REFUSED'] + summary_df['NOTAUTH'] + summary_df['NOTIMP'] + summary_df['FORMERR'] + summary_df['SERVFAIL'] + summary_df['YXRRSET'] + summary_df['YXDOMAIN'] + summary_df['NOTZONE']

summary_df = summary_df[summary_df['total'] > 0] 
summary_df['NXDomain Percentage'] = (summary_df['NXDOMAIN'] / summary_df['total']) * 100

summary_df

Unnamed: 0,date,srcip,-,NXDOMAIN,NOERROR,NXRRSet,REFUSED,NOTAUTH,NOTIMP,FORMERR,SERVFAIL,YXRRSET,YXDOMAIN,NOTZONE,total,NXDomain Percentage
2,2012-03-17,192.168.202.91,1288.0,12.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1301.0,0.922367
3,2012-03-17,192.168.23.252,0.0,0.0,0.0,6.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,6.0,0.000000
4,2012-03-17,192.168.202.64,71.0,630.0,21.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,722.0,87.257618
7,2012-03-17,192.168.202.79,5271.0,4711.0,585.0,0.0,6.0,4.0,3.0,0.0,0.0,0.0,0.0,0.0,10580.0,44.527410
8,2012-03-17,192.168.229.156,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.000000
9,2012-03-17,192.168.202.156,0.0,4.0,3.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,7.0,57.142857
10,2012-03-17,192.168.23.253,0.0,0.0,0.0,3.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,3.0,0.000000
16,2012-03-17,192.168.202.143,0.0,253.0,4.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,257.0,98.443580
17,2012-03-17,192.168.27.1,0.0,0.0,0.0,18.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,18.0,0.000000
19,2012-03-17,192.168.202.88,2364.0,126.0,13.0,0.0,1666.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,4169.0,3.022308
