DNS DDoS protection

DNS is one of the most frequent targets of DDoS attacks: if an attack succeeds, the entire domain, including web and other services, can become unavailable. In addition, DNS servers are often abused as reflectors in reflection and amplification attacks.

DNS services are typically required to operate over UDP, which allows attackers to spoof source IP addresses and launch large-scale attacks. In such cases, attackers may even spoof the addresses of legitimate clients, so an inaccurate DDoS mitigation solution can end up blocking real users and exacerbating the impact of the attack.

One common practice for mitigating DNS DDoS attacks is to increase TTL values. See, for example, "Mitigating DoS Attacks against the DNS with Dynamic TTL Values", J. Molsa, 2004, which describes server-side techniques for this approach.

Tempesta xFW protects both authoritative and recursive DNS servers. Recursive servers are protected from being abused as reflection proxies as well as from targeted attacks.

The following static rules are applied when DNS mitigation is enabled.

• Drop queries with a non-zero RCODE field in the DNS header.
• Drop queries that contain an authority section.
• Drop queries that contain answer records, except for Incremental Zone Transfer (IXFR) queries.
• Drop queries with more than two additional sections.

The following static rules are applied to ingress DNS response packets (non-queries):

• Drop DNS responses with a TTL of zero or greater than 604,800 seconds. RFC 8767 §4 defines a zero TTL as a meaningful value, but requires recursive servers to use values greater than zero. An authoritative server has no valid reason to return a zero TTL, making it anomalous in this context.
• Drop ingress responses for which no corresponding outgoing query was observed.
• Drop responses with a packet size larger than 4,096 bytes (RFC 6891 §6.2.5).
• Drop responses with more than 100 answer records.