DNS name resolution services are required both to maintain an internet presence as well as to access online resources. The Domain Name System, or DNS, which serves as the Internet’s address book, maps human-friendly names into IP addresses so that devices, applications, and services know how to find one-another. It is one of the core Internet services enabling the communications we take for granted countless times each day.

However, both authoritative and recursive DNS servers are frequently the target of disruptive DDoS attacks, and undefended DNS servers can also be abused for reflection-amplification DDoS attacks against any organization on the Internet, including that of their owners and operators.

Protecting the availability of DNS is key for any organization providing services or content across the Internet. If the DNS infrastructure is unavailable or slow, services depending on it will be impacted. This is why DNS infrastructure DDoS protection and mitigation are imperative to keeping these services available.

Detect, Alert, Update Blocking, and Analyze
Click to enlarge image

Defending DNS with Adaptive DDoS Protection

NETSCOUT has visibility into 50+ percent of all Internet traffic, seeing tens of millions of attacks per year. This threat data is collected in our ATLAS Threat Intelligence system which currently tracks over 1.3 million bots and 500,000 known abusable reflection and amplification systems actively participating in DDoS attacks around the globe.

Knowing the active DDoS participants provides faster detection of attacks, including those that may be below detectable thresholds. This allows for more specific mitigation capabilities instead of the broad, uninformed mitigation used once an attack is detected.  

As DDoS attacks transform either through alternating attacking infrastructure, or a shift in the vectors of an attack, this transformation is tracked and mitigation follows it, learning as it progresses.

The intelligence of knowing the threat landscape, informing detection and mitigation, and learning as attacks transform is Adaptive DDoS Protection, which is paramount in providing precise and effective DNS DDoS mitigation.

DNS-Specific DDoS Mitigations

DNS zone validation

Only allow requests for valid DNS records to pass while other requests are caught by mitigation.

DNS authentication

Attempt to upgrade DNS to use TCP connections. Valid requesting clients will respond, while spoofed attackers and reflectors will not.

DNS malformed traffic detection

Blocks any DNS traffic that does not conform to RFCs.

DNS regex matching

Identify common patterns in DNS payloads to block or pass requests.

DNS and NXDOMAIN rate limiting

Limit individual client request rates when under a Water Torture or other DNS attack.

Protecting the Service that Enables the Internet

NETSCOUT Arbor DDoS Solutions provide detection and mitigation capabilities for any organization at any scale. Protect your DNS services from all types of attacks before user experience can be impacted.

Adaptive DDoS Protection

Adaptive DDoS Protection uses machine learning combined with known DDoS attack participants, and pre-configured objects and mitigation templates to enable precise, effective isolation and mitigation of attacks. 

Service Providers

Data center operators and network providers need a defense that is effective, cost-efficient and easily managed. Arbor Threat Mitigation System (TMS) is the acknowledged leader in DDoS protection. More Service Providers, Cloud Providers and large Enterprises use Arbor TMS as a DDoS mitigator than any other solution to protect DNS services.


NETSCOUT Arbor Edge Defense (AED) is uniquely positioned on the network edge to provide an inline, always-on, first and last line of defense. Using stateless packet processing, continuous global threat intelligence, decades of DDoS protection and mitigation expertise, and patented adaptive DDoS defense technology, AED can protect your organization’s DNS infrastructure and services.