Introduction

We've always pondered the origins of the universe and the underpinnings of our cosmos. In his book Our Mathematical Universe, Max Tegmark postulates that the mere existence of our universe, its laws of nature and physical constants, and the interconnectivity of everything within it constitute the fabric of our reality. In other words, the inherent properties of our universe and their relationship to one another themselves constitute its definition. In his book, Tegmark uses the analogy of a postal code—a seemingly mundane, yet apt metaphor for this most profound of concepts.

This metaphor applies to the "inter-"net as well-inherent in its very name, interconnectedness is its raison d'etre. In particular, it is the control plane of the internet, consisting of the Border Gateway Protocol (BGP) routing protocol and Domain Naming System (DNS), which make the "inter-" part of the internet possible. BGP ensures that packets can get from clients to servers and vice-versa, while DNS ensures that applications, services, and the people who utilize them know where they're destined, providing a mapping between esoteric-seeming IP addresses such as 172.19.254.21 or 2001:DB8:1234:0:A1EA:A004:4001:53C8 and human-friendly names like www[.]example[.]com.

This process accomplished by the interaction of the two broad categories of DNS servers: authoritative DNS servers and recursive DNS servers.

Authoritative DNS servers maintain the actual mapping between IP addresses and human-friendly names for internet servers, applications, services, and other online resources which are associated with organizational DNS domains such as example.com, example.net, etc. Without them, locating and accessing the online presence and resources of a given organization is well-nigh impossible for ordinary users. They are either owned and operated directly by organizations in order to enable access to their online properties, or are operated on their behalf by authoritative DNS hosters.

Recursive DNS servers issue queries to authoritative DNS servers on behalf of user workstations, mobile phones, gaming consoles, and other types of devices in order to discover the IP addresses of the internet servers, applications and services they wish to access. These recursive DNS servers are typically maintained and operated by broadband access ISPs and enterprises in order to provide DNS name resolution services for their end-customers, although the use of some well-known public DNS recursive services such as Google DNS, Quad9, Open DNS, etc. is freely provided to the entire internet user base free of charge.

As DNS name resolution services are required both to maintain an internet presence as well as to access online resources, both authoritative and recursive DNS servers are frequently the target of disruptive DDoS attacks; and as is the case with so many types of online services, undefended DNS servers can also be abused to launch DDoS attacks against any organization on the internet, including that of their owners and operators.

Attacks Against Authoritative DNS Servers

Adversaries wishing to disrupt access to internet-facing applications, services, or content frequently launch DDoS attacks against the platforms and infrastructure directly involved in making them available on the internet. Likewise, organizations defending against DDoS attacks usually focus on protecting those obvious elements of the service delivery chain. However, skilled attackers understand that preventing legitimate users from resolving the DNS names of the properties they wish to access can be just as effective at rendering them inaccessible, especially given that defenders often neglect to include the authoritative DNS servers for their domains in their DDoS defense plans.

If there is no functional authoritative DNS service, there will be no internet presence for the targeted organization. Sales, support, supply chains, email, VPN access, extranet connectivity, and brand reputation are all impacted by these attacks. The entire organization is essentially knocked off the internet, and will remain that way until the attack is mitigated, or the attacker eventually pauses after achieving the intended effect.

And if the authoritative DNS service of the targeted organization is provided by a DNS registrar or other authoritative DNS hoster, a successful attack can affect not only the intended target of that attack, but tens or even hundreds of thousands of unrelated organizations relying on the same authoritative DNS provider.

Recursive DNS Servers Can Be Targets, Too

All users of broadband internet providers, as well as personnel of enterprise organizations, rely on recursive DNS servers to perform name resolution services on their behalf—it's difficult to log into the office VPN server if the name cannot be resolved, or to access a search engine by IP address alone. Once again, if there is no recursive DNS service, there is no internet access, and thus no way to use the internet to perform one's job functions, much less engage in everyday activities such as calling friends and family, watching movies, paying bills, ordering groceries, arranging transportation, or playing games.  

This means that attackers wishing to disrupt the internet access of targeted organizations (or even individual users!) don't necessarily have to make use of pipe-filling volumetric DDoS attacks. Instead, by successfully attacking the target's recursive DNS infrastructure, they can use far fewer resources to effectively shut down the internet (and intranet, in many cases) access of the targeted user base. When broadband Internet Service Providers (ISPs) recursive DNS infrastructure is attacked in this manner, the collateral damage footprint can be enormous, scaling into the hundreds of thousands or even millions of affected users.

These attacks often cause considerable negative impact to both the authoritative DNS servers, whose records are being repeatedly queried, as well as legitimate users of open DNS recursive servers employed as reflectors/amplifiers.

Weaponizing the DNS

Authoritative DNS servers aren't just the targets of attacks, they themselves can be leveraged to attack the DNS servers of their intended targets, or even to completely saturate the peering and transit links of large ISPs and enterprises alike, completely disrupting all forms of internet traffic. Attackers identify large DNS records and repeatedly issue queries for those records while spoofing the IP addresses of their targets, commonly abusing misconfigured, open recursive DNS servers to drastically increase the impact of these DNS reflection/amplification attacks (Figure 1).

Figure 1: DNS Reflection/Amplification Attacks Since 2019

Abusable recursive DNS servers are also constantly employed in DNS query-flood attacks (Figure 2) against those authoritative DNS servers, with DNS Water Torture attacks (Figure 3) being the most popular DDoS vector in this context. These attacks consist of sending high rates of pseudorandomly-generated or dictionary-driven queries for nonexistent records to the authoritative DNS servers of the targeted organization. This form of attack is particularly effective because it both defeats DNS caching mechanisms incorporated into the authoritative DNS infrastructure as well as forcing the authoritative DNS servers under attack to generate huge amounts of negative DNS answers, known as NXDOMAIN responses.

Figure 2: DNS Query Flood Attacks Since 2019

Figure 3: DNS Water Torture Attacks Since 2019

Similarly to authoritative DNS servers abused in reflection/amplification attacks, recursive servers leveraged in those attacks or in DNS water torture attacks are themselves negatively impacted by the attack traffic, often leading to widespread collateral internet outages for ISPs, enterprises, and individual users that are not the intended targets of the attack, but are nevertheless caught up within its collateral damage footprint.

To illustrate the impact of just one of the previously mentioned attack methods, the data in Figure 4 shows the maximum queries-per-second (QPS) we observed for just DNS query floods, and how devastating some of these attacks can become. And while there are always absolute peaks, the overall trend is that these types of attacks are increasing in impact as time progresses.

Figure 4: DNS Query Flood Maximum Queries-Per-Second (QPS)

It should also be noted that DDoS attacks against DNS servers aren’t limited to only DNS-specific attacks. Any type of packet can be used to launch DDoS attacks and DNS servers are routinely attacked with SYN-floods, ACK-floods, NTP reflection/amplification attacks, and even DNS reflection/amplification attacks (which can be challenging for operators of recursive DNS severs who do not have adequate capabilities to distinguish amplified attack traffic sourced from abusable DNS reflectors/amplifiers from legitimate, solicited DNS responses). This means that all Best Current Practices (BCPs) such as recommended DNS architectural practices, enforcement of appropriate network access control policies, ensuring recursive DNS servers can’t be abused as reflectors/amplifiers, et. al. must be implemented by operators of DNS services.

Mission-Critical DDoS Defense for DNS Servers 

Along with adherence to sound architectural, scaling, and operational best current practices (BCPs), both authoritative and recursive servers must be defended against DDoS attacks. Enterprises, ISPs, cloud and VPS providers, authoritative DNS hosters, VoIP providers, online gaming operators, and every other type of internet-connected organization are all dependent on functional and resilient DNS services for their ability to exist on the internet.  

In particular, the duality of DNS services as both a target and an enabler of DNS DDoS attacks requires that organizations partner with DDoS solution providers with a thorough understanding not only of their own offerings, but who have proven expertise and experience in successfully defending DNS infrastructure from attack at internet scale, as well as an understanding of all the nuances and implications of DNS architecture and operations as the cornerstone of a resilient internet presence and global service delivery chain.