Dissecting DNS Defences during DDoS

Recommendations for both operators and developers

The Internet Domain Name System (DNS) has been a frequent victim of DDoS attacks. Dyn, a large DNS provider, has been the target of a 1.6Tb/s DDoS fueled by the large IoT Mirai botnet. The Root DNS servers, too, have been victims of DDoS attacks several times -- the November 2015 attack was estimated at 35Gb/s.

Dissecting DNS Defences

The DNS has been designed with several defences strategies to improve availability and resilience, both on the authoritative servers side and on the recursive resolvers side.

Authoritative DNS servers (the ones that host entire zones, like the Root servers) rely heavily on replication by having name server replication and/or IP anycast. Name server replication is when multiple servers are used for the same zone, as with the root zone, which has 13 name servers. Each of them, in turn, can be further replicated using IP anycast, which allows the same IP address to be announced from multiple physical locations and enables BGP to map a client to each location.

On the recursive resolver side, caching (sometimes using multiple levels) of DNS answers and retrying queries are the two main tactics used to provide resilience.

Given that various strategies are in use, we have conducted a study to establish how the strategies affect DNS resilience and latency in the wild, exploring both the client-side DNS user experience and server-side traffic. To do that, we carried out controlled experiments using Ripe Atlas and analysed traffic from two production zones (.nl and the Roots).

Our study reached four main conclusions, which serve as recommendations for both operators and developers:

  • We found that, in the wild, caching behavior is often as expected, but about 30% of the time clients do not benefit from caching (Section 3). That observation was confirmed in both the .nl zone and the Root zones (Section 4).

  • On the recursive resolver side, caching and retries provide a significantly resilient client user experience during DDoS attacks (Section 5). Even with very heavy query loss (90%) on all authoritatives, full caches protect half of the clients, and retries protect 30%.

  • On the authoritative side, we showed that there is a large increase in legitimate traffic during a DDoS attack (up to eight times in our experiments), mainly due to retries. While DNS servers are typically heavily overprovisioned, this result suggests the need to review the level of overprovisioning (Section 6).

  • Finally, our results enable us to suggest why users have experienced relatively little impact from DDoS attacks on Root servers while the customers of some DNS providers felt the impact of attacks straight away (Section 8).

The full report (PDF) can be downloaded from both the SIDN and USC/ISI websites.

A previous version of this blog has appeared at the Ripe Atlas blog.


  • Thursday 29 March 2018


    News media have work to do


    When it comes to domain name security, the news media are not doing well.

    Read more
  • Thursday 17 May 2018


    Hackman campaign launched to raise awareness of on-line security


    Ethical hacker Rickey Gevers takes on the challenge of hacking Lieke van Lexmond

    Read more
  • Tuesday 20 November 2018


    Plenty of scope for improving the government's on-line activities


    Government services less popular with smartphone users

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.