Anatomy of a DDoS Attack against the DNS

The Domain Name System (DNS) is part of the functional infrastructure of the Internet and part of the Internet’s “trust” framework. Without these nameservers, the huge investments in hardware, software and applications that organizations make cannot be found and accessed by customers. Unfortunately, because the DNS is a key piece of infrastructure, it is often targeted by malicious players. Distributed Denial of Service (DDos) attacks targeting the DNS is a specific type of DDoS attack that exposes vulnerabilities in the DNS system. This whitepaper provides an explanation for this specific type of attack.


Anatomy of a DDoS attack


The Domain Name System (DNS) provides the core backbone of the Internet by providing the map between easily-readable hostnames (i.e. and IP addresses ( by way of resource records. It is essential to the operation of the Internet by enabling the use of logical, human-readable names for locations rather than complex IPv4 or IPv6 addresses. It additionally provides mappings to things like mail servers, SIP servers, redirects, digital signatures, and more. The DNS is a distributed database organized as a tree of interconnected nodes (server or server clusters) where each node is a partition of the database. Nodes are delegated to designated authorities and there can be only one authority for a node or group of nodes. The DNS is a critical part of the Internet’s trust framework and functionality and as such is often a target for malicious activity.


Before getting into the mechanics of a DNS-based DDoS attack versus other forms of DDoS attacks, it is worth noting that these attack scenarios can generically describe an attack that applies to the DNS or to an application or web server. The DNS DDoS attack typically uses three elements in the hackers tool chest: spoofing, reflection and amplification. Since the attacker’s goal is either to saturate a nameserver, or to target another server, these elements of the attack are typically distributed across many open DNS resolvers. Reflection is used to increase the number of queries while amplification comes in when the reflecting server answers the relatively small query with a much larger response.

How a DDoS attack works.  An attacker recruits botnets and open recursive resolvers to launch an attack on the authoritative name server.

In the case of the DNS, the problem is compounded because a very small query (<100 bytes) can be amplified (to 50X and up) to generate thousands of bytes in response. Let’s look a little closer. If the attacker wanted to attack a target DNS server then it would use all the botnet zombies in his network to issue DNS request messages for an amplification record from open recursive servers. If the recursive nameserver has not received a request before then they issue their own request to a compromised server to get the amplification record. The open recursive servers think they are sending a response to the botnet host that generated the query, but it has spoofed the IP address of the attack target. So the organization’s server never issued a request but it is now being bombarded with responses. Making matters worse, because the response is amplified, it is broken into fragments that need to be reassembled at the destination, putting further strain on the target.

Anatomy of a DDoS attack where the DNS server is used to reflect an attack against the target.

There is another scenario, which we will call amplifier exhaustion. It occurs when the organization isn’t the target in the attack, but an unwitting accomplice. Their name ser

vers are being used in an attack on another server and in the process the bandwidth or resources of the nameserver are being taken up. Maintaining a good DNS architecture is important because it helps protect the organization while also ensuring that it is a good Internet citizen.


Several players in the industry are trying to get the (tens of millions of) open recursive DNS resolvers cleaned-up by focusing on the networks that have them and getting the resolvers shut down. However, this is an extremely challenging global problem that is caused by the inadvertent behaviour of both individuals and corporations. Rather than trying to solve the global issue, there is a more immediate and active response that an IT department can take, and that is to add capacity and redundancy to their DNS. One tool for building out the DNS infrastructure is to use anycast servers. Anycast DNS servers enable organizations to deploy a set of DNS servers across the globe that all have the same IP address. Since one of the features of anycast DNS is that queries are responded to by the geographically closest server, attacks against one node will only impact customers in that region. Maintaining two or more anycast clouds on different infrastructure and network connectivity provides for even more in-region redundancy to help mitigate the impact of an attack or other outage.

In addition to solving the global risk, if a business has a large domestic component then locating a few high bandwidth international nodes can help to protect your local traffic from an attack that originates off shore. Why? Because the global attack will be soaked-up by the geographically closest off-shore server leaving your domestic ones unaffected. Even if a global DNS server is brought down, by the time the attack moves to a new node the old one can be back online. In effect it becomes a world-wide game of whack-a-mole on the DNS servers that aren’t delivering content to your most important market or region anyway.


Anycast versus Unicast showing how with Unicast a hacker can bring down the website.
A global company may elect to run one or more anycast clouds to serve its markets. This involves placing enterprise infrastructure and redundancy in the corporate datacenters or branch offices. For very large companies, this approach may be preferred as it gives a high degree of control over the deployment. However, it is costly, and when enterprise-class equipment is used for the DNS, the service is often over-provisioned and represents a non-optimized use of resources.

Alternatively, there are DNS service providers that organizations can use to oursource their DNS. In these instances their DNS is on shared equipment with other companies but can be protected by enterprise-class SLAs and service. And finally, because of the way anycast is architected, there is the option to combine some
in-house infrastructure with one or more bestof- breed secondary solutions. This provides redundancy and capacity for organizations where access to the website is critical.

Learn how you can put the D-Zone Anycast DNS service to work for your organization.