Protecting DNS Servers from DDoS Attacks

The availability of websites, APIs, email services, CDNs, and many other online services depends on DNS servers. When a DNS server is targeted by a DDoS attack, the translation of human-readable domain names into IP addresses is disrupted. As a result, users cannot access these resources.

In this article, we explain how to protect DNS servers from DDoS attacks, respond to modern threats, and leverage the right technologies to secure your infrastructure. 

What Is DNS?

DNS (Domain Name System) is a distributed, hierarchical system for resolving domain names, operating on a client-server model. It maps domain names to resource records (such as A/AAAA, CNAME, MX, and others) through a sequence of queries to root, TLD, and authoritative DNS servers.

In most cases, this process uses the UDP protocol (port 53). For larger responses and zone transfers, TCP may be used instead.

Each device on a network has a unique address:

Protocol	IP Address Length	Example
IPv4	4 bytes (32 bits)	192.124.0.8
IPv6	16 bytes (128 bits)	2001:0fb6:89ac:0000:0000:8a4b:0330:8634

To make things easier for users, domain names are used instead of IP addresses. These names consist of levels separated by dots. For example, .network is a top-level domain, while stormwall.network is a second-level domain.

DNS servers are critical to the internet’s operation. They store and serve DNS records, map domain names to IP addresses and other data, and ensure that services remain accessible.

When a client (for example, a browser using a system resolver) requests the IP address of a domain, a recursive DNS resolver either returns a cached response or queries other DNS servers — starting from root servers and moving down to TLD and authoritative servers — to retrieve up-to-date information. Once the response is received, it is returned to the client, allowing a connection to the target server to be established. 

Types of DDoS Attacks on DNS Servers

DNS servers are frequent targets of DDoS attacks, which generally fall into three main categories: 

• Volumetric attacks — overwhelming network bandwidth with massive volumes of traffic. This includes DNS reflection and amplification attacks, where responses are significantly larger than the original requests.
• Protocol or application-layer attacks — generating a large number of DNS queries that overload resolvers and authoritative servers, exhausting CPU, memory, and state tables.
• Resource exhaustion attacks — techniques such as NXDOMAIN floods and DNS Water Torture (queries to random or non-existent subdomains), which reduce caching efficiency and force resolvers to repeatedly query upstream servers.

If DNS infrastructure in a specific data center — especially authoritative servers or resolvers — is under attack, access to services via domain names may be partially or completely disrupted, even if the underlying services remain operational. 

The following types of DDoS attacks are the most common:

• DNS flood — generating a large volume of valid or random DNS requests aimed at resolvers or authoritative servers to overload CPU, memory, and network resources. Botnets are often used for this.
• Reflection attacks — sending DNS queries to open third-party servers with a spoofed victim IP address. The responses are then sent to the victim, creating unwanted inbound traffic.
• DNS Amplification — a subtype of reflection attacks. Attackers craft queries (for example, targeting large records or DNSSEC) that produce responses much larger than the original request, significantly increasing traffic volume.
• NXDOMAIN / DNS Water Torture — sending queries for non-existent or randomly generated subdomains. This reduces caching efficiency and forces resolvers to continuously query authoritative servers, increasing their load.

DNS flood

DNS amplification attack

In addition to causing service disruption, DNS-based DDoS attacks can also act as a cover for other threats. If vulnerabilities exist in the infrastructure, attackers can use the attack to hide malicious activity, bypass security controls, and launch additional attacks — including traffic interception, botnet control, and unauthorized data exfiltration.

The following types of threats are distinguished:

• DNS tunneling — creating covert communication channels by embedding data within DNS queries and responses, allowing attackers to bypass filtering mechanisms.
• DNS spoofing (cache poisoning) — injecting fake DNS responses into resolver caches, redirecting users to malicious resources such as phishing sites.
• DGA (Domain Generation Algorithm) — generating large numbers of domain names used by malware to communicate with command-and-control (C2) servers, making blocking more difficult.
• Fast Flux — frequently changing IP addresses associated with a domain using short TTL values and a distributed network of nodes.

Who Gets Targeted

In 2025, DNS-based attacks ranked among the top five DDoS vectors globally. DNS remains one of the most targeted protocols after HTTPS.

DNS protection is particularly critical for:

• Telecom and hosting providers, media platforms — DNS acts as the entry point to all digital services, so attacks can disrupt large segments of the network.
• Financial services — if banking or payment systems become unavailable, users cannot complete transactions.
• Retail and e-commerce — even a few minutes of downtime can result in lost revenue.

Read more: The DDoS Landscape in 2025

Here’s an example from our practice

Inoxweb, a hosting provider based in Turkey, faced relentless DDoS attacks starting in March 2025. Attackers used a mix of advanced techniques — including DNS amplification, TCP SYN ACK floods, and targeted traffic on ports 80 and 443 — to disrupt customer websites.

The company tried several approaches: hardware firewalls, costly expert tuning, increased bandwidth, and mass-market cloud protection services. None of them worked. Hardware quickly became a bottleneck, bandwidth upgrades only attracted larger attacks, and off-the-shelf solutions ended up blocking legitimate users, causing outages instead of preventing them.

When Inoxweb finally tested StormWall for Networks, the impact was immediate. With 24/7 support and rapid response, every attack — including large-scale DNS amplification — was detected and mitigated at the perimeter, before it could reach the infrastructure. At peak, attacks reached 305 Gbps and 100 million packets per second. After deploying StormWall, the provider experienced zero critical downtime, and its customers were finally able to use services without disruption.

Why DNS Protection Matters

Successful DNS attacks can cause unstable performance or complete service inaccessibility. 

The consequences are similar to those of other DDoS attacks:

• Disruption of business processes.
• Financial losses (penalties, claims, customer churn).
• Reputational damage.
• Data security risks — DNS attacks may be accompanied by attempts to breach systems and steal sensitive information.

The situation can be even more challenging because affected clients often cannot deploy protection quickly. Under attack, the server struggles to process legitimate requests, making it harder to process legitimate requests and configure defensive measures. 

How to Protect DNS from DDoS and Other Threats

Today, effective protection usually involves combining multiple approaches. Key recommendations include:

1. Maintain basic security hygiene. Regularly update software, conduct vulnerability assessments, review and clean outdated or unnecessary DNS records, disable unused protocols and services, and limit administrative access.
2. Separate server roles. Authoritative and recursive DNS servers should be separated by role and network zone. Combining these functions increases exposure to attacks. For authoritative servers specifically: disable recursion, restrict zone transfers to trusted IP addresses, and disable dynamic updates to prevent unauthorized record changes.
3. Ensure sufficient capacity. Infrastructure — including servers, load balancers, and network links — should have excess capacity. For resilience, deploy servers across multiple data centers and network segments with redundant routing paths.
4. Use a DDoS protection service. Specialized and professional anti-DDoS solutions provide more effective protection. When choosing a provider, consider how it handles different attack types, distributes traffic, and detects anomalies.
5. Configure firewalls to filter incoming and outgoing traffic. Firewalls can restrict access to DNS servers, monitor activity, and block suspicious traffic.
6. Use additional security protocols. DNSSEC ensures data integrity using cryptographic signatures, while TSIG verifies the authenticity of DNS transactions.
7. Limit request rates. Restrict the number of requests from a single source, the total number of requests per second, and repeated queries to non-existent domains.
8. Enable DNS caching. Frequently requested records are stored and reused, reducing load. This should be combined with rate limiting to prevent abuse.
9. Monitor and analyze traffic continuously. Advanced attacks can mimic legitimate traffic, so detecting anomalies is critical.
10. Develop a recovery plan. Prepare response scenarios for different attack types, from bandwidth saturation to data integrity issues.

Expert Insight

“If your DNS servers are located within your own network, they should be protected using BGP routing. Provide your DNS server IP addresses to your anti-DDoS provider so that they can configure protocol-specific traffic filtering. We take a comprehensive approach to protection, securing the entire traffic path — from DNS to application servers.”

Ramil Khantimirov, CEO and co-founder of StormWall

Protection Methods Overview

• Rate limiting protects against simple floods but may not be effective against distributed botnets.
• Blacklists and whitelists work well against known sources but are less effective against disguised traffic.
• Geographic distribution (Anycast) helps absorb attacks by spreading traffic across multiple nodes.
• DNS caching reduces repeated load but can be targeted by cache-based attacks
• DNSSEC protects against spoofing but does not mitigate DDoS attacks.
• Cloud-based anti-DDoS services are the most effective against large-scale and complex attacks.

DNS Protection Checklist

1. Use dedicated physical or virtual servers with sufficient capacity.
2. Distribute infrastructure across multiple data centers and network segments.
3. Regularly update software and audit configurations.
4. Limit administrative access to trusted personnel.
5. Disable unnecessary services and recursion on authoritative servers.
6. Configure firewalls and rate limiting.
7. Enable DNSSEC to protect data integrity.
8. Deploy a comprehensive anti-DDoS solution covering all OSI layers, including L7.

Frequently Asked Questions

What is DNS protection?
It is a set of measures designed to mitigate threats, including DDoS attacks, ensuring service availability and secure communication between clients and servers.

Why are DNS servers targeted?
Due to their critical role in internet access, protocol limitations, infrastructure configurations, and the growing use of botnets.

How can I detect a DNS attack?
Indicators include slow or failed responses, increased resource usage, spikes in traffic, unusual log patterns, and packet loss.

What is DNS filtering?
A method of analyzing DNS traffic to detect anomalies and block malicious requests before they cause service disruption.

What is the difference between DNS protection and a firewall?
DNS protection operates at the domain level, blocking threats before connections are established, while firewalls operate at network and application layers, controlling traffic based on IPs, ports, and protocols.

What are DNSSEC, DoT, and DoH?

• DNSSEC adds cryptographic signatures to DNS records to ensure authenticity and prevent tampering.
• DNS-over-TLS (DoT) encrypts DNS traffic over TLS (port 853), protecting it from interception.
• DNS-over-HTTPS (DoH) sends DNS queries over HTTPS (port 443), making them harder to intercept or block.

These technologies can be used together: DNSSEC ensures data integrity, while DoT and DoH protect data in transit.