AW: DNS DDoS protection

[Klaus Darilion]

> -----Ursprüngliche Nachricht-----
> Von: bind-users <bind-users-bounces at lists.isc.org> Im Auftrag von Bob
> Harold
> Gesendet: Freitag, 24. Februar 2023 19:26
> An: bind-users <bind-users at lists.isc.org>
> Betreff: DNS DDoS protection
> 
> Before answering this question, can you tell me the proper place where I
> should be asking this question?
> 
> "We are researching DDoS protection, including DNS.  What companies or
> products or methods should I be looking at?"

When talking about DDoS on DNS you have to differ between:
a) Volumetric attacks: the attacker fills up your Internet connections with junk traffic
b) Application layer attacks: the attacker sends plenty of valid DNS queries which overloads your name servers

For a) you have to look out for the typical DDoS Mitigation providers (Cloudlfare, Voxility, ..... just Google, there are plenty of them). They can filter junk traffic, but not DNS queries which look like valid DNS requests

For b) you need a DNS provider which either detects such queries and drops them or who has enough name servers to just answer them. I guess most of the DNS provider also have contracts with a) to handle also volumetric attacks.

To not promote our service, as a starting point take a look at dnsperf.com where plenty of DNS providers are compared regarding their RTT from all around the world.

Of course you can also build your own infrastructure that can handle DDoS loads. But that may only be reasonable if you are hosting millions of zones. For just a few or hundreds domains it would be cheaper to outsource the DNS hosting, instead of building it yourself.

regards
Klaus