Dissecting DNS Defences during DDoS

Recommendations for both operators and developers

The Internet Domain Name System (DNS) has been a frequent victim of DDoS attacks. Dyn, a large DNS provider, has been the target of a 1.6Tb/s DDoS fueled by the large IoT Mirai botnet. The Root DNS servers, too, have been victims of DDoS attacks several times -- the November 2015 attack was estimated at 35Gb/s.

Dissecting DNS Defences

The DNS has been designed with several defences strategies to improve availability and resilience, both on the authoritative servers side and on the recursive resolvers side.

Authoritative DNS servers (the ones that host entire zones, like the Root servers) rely heavily on replication by having name server replication and/or IP anycast. Name server replication is when multiple servers are used for the same zone, as with the root zone, which has 13 name servers. Each of them, in turn, can be further replicated using IP anycast, which allows the same IP address to be announced from multiple physical locations and enables BGP to map a client to each location.

On the recursive resolver side, caching (sometimes using multiple levels) of DNS answers and retrying queries are the two main tactics used to provide resilience.

Given that various strategies are in use, we have conducted a study to establish how the strategies affect DNS resilience and latency in the wild, exploring both the client-side DNS user experience and server-side traffic. To do that, we carried out controlled experiments using Ripe Atlas and analysed traffic from two production zones (.nl and the Roots).

Our study reached four main conclusions, which serve as recommendations for both operators and developers:

  • We found that, in the wild, caching behavior is often as expected, but about 30% of the time clients do not benefit from caching (Section 3). That observation was confirmed in both the .nl zone and the Root zones (Section 4).

  • On the recursive resolver side, caching and retries provide a significantly resilient client user experience during DDoS attacks (Section 5). Even with very heavy query loss (90%) on all authoritatives, full caches protect half of the clients, and retries protect 30%.

  • On the authoritative side, we showed that there is a large increase in legitimate traffic during a DDoS attack (up to eight times in our experiments), mainly due to retries. While DNS servers are typically heavily overprovisioned, this result suggests the need to review the level of overprovisioning (Section 6).

  • Finally, our results enable us to suggest why users have experienced relatively little impact from DDoS attacks on Root servers while the customers of some DNS providers felt the impact of attacks straight away (Section 8).

The full report (PDF) can be downloaded from both the SIDN and USC/ISI websites.

A previous version of this blog has appeared at the Ripe Atlas blog.


  • Tuesday 16 July 2019


    Travel organisations are the summer's preferred phishing target

    Phishing 520x520

    The holiday season has started

    Read more
  • Monday 27 May 2019


    Bits of Freedom makes privacy law work in practice


    My Data Done Right: a new tool for generating personal data requests

    Read more
  • Tuesday 25 September 2018


    Cybercrooks use fake websites to harvest health insurance data


    SIDN identifies more than 450 phishing sites exploiting health insurers' brand familiarity

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.