On DNS and DDoS

The global DNS infrastructure provides the critical function of mapping seeming random sets of numbers in IP addresses (like to a name that an Internet consumer may recognize (like www.myfavoritestore.com).   To scale to a global level, the DNS system was designed as a multi-level reference network that would allow any user on the Internet to query a set of servers that will iteratively find where a specific domain is owned and get the name to IP address mapping from that location.  To accomplish this, it is made up of root servers controlling top level domains such as .com, .gov, and .org, Global Top Level Domains (TLDs) controlling regional domains such as .br, .fr and .uk, authoritative servers controlling specific domains such as myfavoritestore.com and a very large group of recursive resolvers that end user systems connect to.  A query from a user for a domain name would be sent to a recursive resolver and that resolver would work with the root, GTLD and varying levels of authoritative servers to track down the DNS authoritative server responsible for the domain from which it would receive a DNS reply.  This is a very high level and simplified representation of the most common way that DNS is used.

There are a number of security considerations that need to be taken into account relative to DNS.   DDoS attacks are a major threat to the availability of the DNS network.  DDoS attacks against recursive DNS servers may shut down DNS resolution regionally for a network (such as an ISP or cable modem provider) where none of their users would be able to resolve domain names at all.

DDoS attacks against authoritative domains may shut down DNS resolution for a specific domain name (like www.myfavoritestore.com) or a group of domains. The recent attack on Dyn is an example of this type of threat.

DDoS attacks against a root or GTLD system could impact all domains for a country or even an entire class of domains (like .com).  In December 2015, there was a large DDoS attack against the DNS servers responsible for the Turkish domain “.tr”.  The attack was a flooding attack which resulted in the DNS servers becoming unresponsive and therefore unable to respond to DNS queries for websites within the .tr domain.   This was in many ways more effective than attacking the websites directly because by taking down the DNS servers, most users were unable to resolve the name of the website to the actual IP address, leaving them unable to access the websites”. (http://www.dailydot.com/layer8/turkey-ddos-attack-tk-universities/)

It is highly recommended that operators of DNS put measures in place to protect against DDoS attacks. The following chart illustrates the number of misuse events targeting either TCP port 53 or UDP port 53 since the beginning of the year (DNS Servers may listen on TCP Port 53 as well as UDP Port 53). The data comes from Arbor SP systems deployed around the globe and is provided in two-week increments.  For example, there were 6,490 events targeting either TCP/53 or UDP/53 January 4th-17th. 9,300 events January 18th-31st and so on:


In total, over 337,000 such events since the beginning of the year with over 8,000 per week on average.

The original implementation of DNS was built around implicit trust across most of the components.  Recursive resolvers would trust users connecting to it.  Root, GTLD and authoritative servers would trust queries sent to them and the content of the queries would be trusted for the most part.  This trust leads to a number of Integrity and availability issues.  DNS resolvers are often used as reflection/amplification points for DDoS attacks because of this trust nature.  Attackers spoof victim IP addresses in sending DNS queries to open resolvers so that the response, which may be 25-50x the size of the original query, is sent to the victim server.  Statistics from https://dnsscan.shadowserver.org/ since July 4th show that there were about 9.7M (million) open recursive servers on the Internet. The trust around content of DNS queries allows both for amplification as explained previously and for the ability for attackers to send DDoS attacks made up of a large flood of garbage queries, such as www.123456789myfavoritestore.com, towards authoritative servers.

This post was authored by Carlos Morales and Steinthor Bjarnason.

Comments are closed.