DNS Protection

DNS (Domain Name System) is a distributed computer system of name servers (NS) used for acquiring information about domains.

Attacks on DNS

Instead of targeting the website itself, the attack may choose the DNS server containing the information about the website's domain name as its victim. In this case the visitors' web browsers won't be able to determine its IP address, thus rendering the attacked website unavailable.

The attacker can constantly generate DNS requests for the name server so that the server's resources are soon depleted as processing each DNS request takes thousands times more of CPU time than its generation on the customer's side. The UDP protocol doesn't provide any means to verify the legitimacy of the connection which makes it a lot easier to spoof the source address of DNS requests. As the packets seem to be completely legitimate to the name server, it has to reply to all of them, putting the server into extreme stress. The only way to mitigate this sort of attacks without using any specialized means of protection is to increase name server performance, which is not always practical or even possible.

Besides that constant build-up of name server resources is problematic, such server itself can be exploited by malefactors in order to organize and amplify their attacks on other victims.

Service description

The protection from this type of attacks is ensured by using an additional DNS server provided by Qrator. It encompasses advanced methods for mitigation of DNS-related attacks and implements specific logic which distinguishes bogus requests generated by bots from the legitimate ones and processes them differently. In order to use our DNS protection services you need to choose one of the following configuration options:

1. Qrator Secondary DNS (protection with domain name zone disclosure). The customer allows transferring the name zone from his/her current primary NS to a certain address assigned by Qrator and sets this address as an authoritative DNS server for customer's name zone, either replacing or complementing the existing servers. Qrator configures transfer of the name zone file from customer's primary NS whose IP address is now unknown to potential attackers (this setup is called Hidden Primary).

2. Qrator DNS Reverse Proxy (protection without domain name zone disclosure). On certain occasions (i.e. terms of security policy), the customer doesn't have an opportunity to delegate control over the name zone to our name server. If this is the case, all the customer needs is to tell us the IP addresses of authoritative DNS servers and, for the better, of Hidden Primary NS whose data is undisclosed to public network. Then, Qrator NS, deployed on a certain address in the Qrator network, should be set as an authoritative server for customer's name zone, either replacing or complementing the existing servers. In this configuration Qrator NS will represent a recursive server containing cached data about the customer's name zone. If our NS lacks information on some record, it will send a request to the upstream server and cache the received reply. Along wih that, all possible variants of attack vector growth are taken into account.

Advantages of Robust Qrator DNS:

  • Cloud solution on the Qrator network – the customer doesn't need to install any additional software or buy any hardware devices
  • In case of an attack on DNS at least one server always stays operational
  • Easy to enable and configure
  • Increasing stability of the protected resource even with no attacks occurring