Active DNS Protection From DDoS Attacks

Protecting DNS From DDoS Attacks

Today, I’d like to focus on A10’s high-scale DDoS protection for DNS services, which uses the protection and filtering capabilities of the A10 Thunder Thunder® Threat Protection System (TPS™) platform. As you’ll read, it’s an important topic. Here we go.

DNS Protection Is Critical for Your Infrastructure

First, let’s state the somewhat obvious: the Doman Name System (DNS) is a key service for all internet players: infrastructure providers, application owners and internet users.

In its simplest form, DNS is like a phone book for the internet: it matches the website name a user is seeking to the correct IP address. For example, the domain name syncs with that website’s IP address to deliver the site requested. DNS eliminates the need for web users to remember a website’s cumbersome IP address, which in this example is

It’s estimated that there are more than 300 million domain names keeping billions of internet users connected. And the internet wouldn’t work without it.

The problem is, Doman Name System has a lot of moving parts, which makes it a critical target for cyberattackers, and something organizations must protect.

Think about it, as an application owner, your investment in web-based and database service availability can be side-stepped by attacks on DNS infrastructure. Essentially, a distributed denial of service (DDoS) attack on your DNS infrastructure could render your website or your applications completely unreachable. That’s a major fail.

Hence why attackers target DNS servers: the fallout can be catastrophic. For a smart threat actor, that means a small amount of work can cause a heck of a lot of damage.

That why it’s increasingly important for network operators to adequately defend their DNS infrastructure and establish effective DDoS protection policies, lest they suffer the consequences.

Recursive DNS Servers vs. Authoritative DNS Servers

Protecting DNS from DDoS attacks starts with understanding the two types of DNS servers: recursive DNS servers and authoritative DNS servers.

Recursive DNS servers provide the correct IP address of the intended domain name to the host that requests it. It’s like calling the telephone operator (you know, like in the dark ages) and they look up the number for you from various sources. Recursive servers are the helper server.

Authoritative DNS servers provide answers to the recursive servers with IP mapping data of the intended website. Think of authoritative DNS servers as the catcher or receiver – it holds the information and passes it on to the recursive DNS server.

DNS as a DDoS Attack Target

Doman Name System (DNS) can be targeted by attacks for covert resource usage or data exfiltration, but the biggest threat is DDoS attacks. If DNS is imperative for your application or website to work, knocking DNS services offline is a deathblow.

Generating a DDoS attack against DNS infrastructure is relatively simple – an attacker sends queries that look like legitimate users to DNS servers and those servers attempt to return responses. This is done at volume, often with botnets, to overwhelm DNS services.

The most common types of attacks against DNS infrastructure are network floods and resource-exhaustion. During these types of DDoS attack, an attacker targets a DNS server and overpowers it with seemingly legitimate traffic hampering its ability to process requests.

Because DNS responses may require complex processing, it presents unique opportunities for volumetric attacks. Additionally, DNS attacks can be easily spoofed due to the UDP-based transport mechanism, and spoofed attacks are difficult to detect. DNS servers can be further strained by attempting to answer queries for domain names that don’t exist.

Doman Name System (DNS) is also subject to amplification attacks due to significant disparity in query-to-response size, and reflection attacks that use millions of unsecured open DNS resolvers.

For example, an attacker can send a 60-byte query that generates a 6,000-byte response, and when such a query is repeated at a high rate using spoofed source IP addresses or co-opted agents, the result can be a massive DDoS attack that overwhelms the DNS service.

Network admins are challenged to implement DNS protection policies that can distinguish legitimate users from attacking agents to block nefarious activity and ensure smooth operation without disruption. That’s where A10 Thunder TPS comes in.

How A10 Helps

Thunder TPS provides multi-vector DNS DDoS protection to ensure the availability of business services at any scale. Thunder TPS delivers DDoS protection for general network attacks along with protection for DNS-specific vectors. Translation: Thunder TPS protects your network, applications and your DNS servers from those colossal DDoS attacks you’ve been reading about.

How does it do this? Thunder TPS offers source and destination-based filtering and limits; invalid and malformed packet detection; mitigation mechanisms to automatically escalate from peacetime policy through multiple levels of DDoS mitigation policy.

And when it comes to DNS-specific vectors, Thunder TPS protects on multiple fronts.

It limits random query name rates. Random query name comprises a number of different DNS-specific attacks, including Water Torture and Phantom Domain attacks, which are among the most common and problematic types of DNS attacks. These are particularly effective against DNS caching appliances that are deployed to increase performance.

Thunder TPS features UDP- and TCP-based query authentication mechanisms that allow Thunder TPS to automatically identify and mitigate sources of malicious traffic.

And, Thunder TPS restricts costly queries with limited practical utility. It also rate limits queries per domain or by DNS record type. This matters because it prevents attackers from hammering a specific domain name with queries with the aim of causing collateral damage to other domains by bringing the whole DNS server farm down. Some of A10’s hosting and DNS registrar customers have noticed that the attacker even buys a few nonsensical domain names from the provider, under a bogus company name, then hit those domain names to cause the collateral damage.

Providing DDoS protection and mitigation is a key first component of operating a resilient, DNS infrastructure. This was just a quick overview. If you’d like to learn more, we recently published a solution brief on this topic.

Read more about A10 Thunder TPS in our data sheet.


A10 Staff
August 28, 2017

About A10 Staff