The 2016 Dyn DDoS attack didn't take down Twitter and Netflix by overloading their servers — it took down their DNS provider. Without DNS resolution, even a fully operational server is completely unreachable. DNS is the foundation on which everything else depends, and it's often the least protected layer.
Types of DNS DDoS Attacks
- Query floods: millions of DNS queries per second targeting your authoritative nameservers.
- NXDOMAIN floods: queries for non-existent domains force your resolver to do negative lookups.
- DNS amplification: using your resolver as a reflector to attack someone else.
- Phantom domain attacks: flooding the resolver with queries to slow or non-responding domains.
Why DNS Is Particularly Vulnerable
DNS uses UDP, which is stateless and spoofable. Most authoritative DNS servers are not designed to absorb attack-scale query volumes. And because DNS is critical infrastructure, even partial degradation (increased latency) translates immediately to user-visible failures.
Hardening Your DNS
- Use a DDoS-resistant DNS provider with distributed, high-capacity nameservers.
- Implement Response Rate Limiting (RRL) on authoritative nameservers.
- Run at least four geographically distributed authoritative nameservers.
- When using Akarguard, your traffic resolves to our proxy — we can absorb DNS query floods before they affect your origin.