[dns-operations] solutions for DDoS mitigation of DNS

Klaus Darilion klaus.mailinglists at pernau.at
Thu Apr 2 10:43:16 UTC 2020

Am 02.04.2020 um 05:51 schrieb Tessa Plum:
> Hello Paul
> We were under some attack like UDP flood to the authority servers, there 
> were a lot of UDP requests flooding to the servers. The traffic size was 
> about 20Gbps last time as I have said in last message. The clients seem 
> using spoofed IP addresses.

Was it a) just some DNS traffic filling the upstream bandwidth, or was 
it b) legitim DNS requests to existing domains (or ie random subdomains)?

For a) you can use any DDoS Mitigation used for any service.

For b) you need some advanced techniques, ie. filtering with dnsdist, or 
if you can detect some pattern to identify the DDoS packets, you can use 
BPF filter to filter out such traffic bevor hitting your name server.

So what was the bottleneck? I.e. if you use PowerDNS with DB backend you 
quite early hit the limit with random subdomains, which are not a 
problem if you use NSD for example. To mitigation such traffic patterns 
for example we use dnsdist with 2 backends, PowerDNS for nomarl zones 
and NSD for zones which are quite often under attack.


More information about the dns-operations mailing list