Any way to see what names NXDOMAIN is issued for?

I’ve recently moved DNS for a domain to cloudflare - eventually the plan is to use the WAP in front of several services. Right now, the account is on the ‘free’ plan and I’m doing ‘dns-only’ for all the important addresses. I’m doing it this way to make migration smoother and more predictable.

For historical reasons, the domain had a DNS wildcard *.example.com. Those historical reasons are long past, and when I changed nameservers to cloudflare, I didn’t include the wildcard record. Looking at a few weeks of query logs on my very old servers, I thought I had a good list of all the domain names I needed to support with no wildcard.

Over the weekend, I discovered one more and have added a CNAME for it.

I can see the NXDOMAINs are still happening sporadically (analytics->DNS) for some hostnames, which are probably names that shouldn’t exist, but I can’t tell from that data. Is there some way to see what names are being queried for that are generating these NXDOMAIN responses? It may be that there is some infrequently used name that I need to support who’d failure is non-obvious (e.g. over the weekend our monitoring system tried to send email from a non-existent hostname, getting blocked by some spam engines).

Can I see the queries that generate the NXDOMAIN responses for my domains?

You are looking for DNS Analytics:

https://dash.cloudflare.com/?to=/:account/:zone/analytics/dns

There is a blog post from a few years ago here:

Perhaps I’m missing something. That is where I’ve already been looking (analytics->choose a domain-> dns).

All I get is a graph that shows # of successful and # of nxdomain queries with not additional info.

Is this because I’m on a free plan with the domain?

From that blog post, I only get the top graph, not anything that shows below it…

It seems to just be for enterprise customers.

If you are an enterprise customer and you want to know what all the NXDOMAIN queries are, just scroll down a little bit where we show you the top queries for your domain and top queries for your domain for DNS records that don’t exist (aka top NXDOMAIN queries).

Sorry, didn’t realise this was a paid for feature.

Best solution I can think of would be to reinstate your catchall web server and monitor the logs for a while. That won’t catch things like mail servers trying to verify existence of a hostname in DNS. Perhaps you have your old DNS logs?

Unfortunately these are email servers. I did collect stats about names used to connect for several weeks, but missed at least one that I know of.

Thanks for your ideas.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.