DNS Protection

DNS (from Domain Name System) is a distributed computer system of servers which contains information about domains. Often, the protection of this system turns out to be forgotten.

Attackers can attack the DNS server responsible for storing information about the domains of this site - instead of attacking the site itself, which requires much more resource.  In the case like that, users' browsers will not be able to determine the site’s IP address, and it becomes inaccessible.

An attacker can constantly generate DNS queries for a DNS server in order to exhaust its resource. This is not difficult: for each request the server spends thousand times more CPU resource than the client does – for creating one this request only. The UDP protocol does not verify the legitimacy of the connection, and this simplifies the forge of the outgoing address of requests. Since the packets appear to be perfectly legitimate, the NS server must respond to everything. Without special protection, the only way to neutralize such an attack is to increase the power of the NS servers.

In addition to the fact that the constant capacity increase of the DNS server turns problematic, such a server can itself be used by attackers to organize further DDoS attacks on other victims.

Qrator DNS 

Qrator DNS is a distributed DNS server system provided on the base of the Qrator Labs cloud. Like all services running in the Qrator Labs cloud, Qrator DNS exploits full BGP-Anycast Technology, so all Qrator DNS NS servers have the same IP, regardless of their actual geographic location. As a result, the network has the following two key benefits. 

  1. Distributed attack surface: during a DDoS attack on an NS server, its surface is naturally distributed. Fault tolerance is increased and other geographic regions are not involved – and the attack is localized right in the region of its origin.
  2. Significant reduction in response time from query point to a regional NS server. Download time of the resources requested is notably accelerated.

 

How Qrator DNS works

Qrator DNS works in two options of the connection

  1. Classic Qrator Secondary DNS. The client allows the full transfer of his domain zone from the current Primary NS server to the Qrator Labs cloud. Then, the client specifies the IP address allocated by Qrator Labs as the authoritative server address for its zone (replacing or supplementing the existing ones). Thus, each Qrator Labs regional scrubbing center has a complete copy of the domain zone.

          Also, Qrator Labs can configure the transfer of the domain zone file from the client's main NS server, the address of which is no longer known to attackers (this configuration is called Hidden Primary). 

  1.  Qrator DNS Reverse Proxy (protection without full disclosure of the domain zone). In some cases, though, the client does not have the opportunity to transfer a copy of his domain zone to the Qrator Labs cloud (for example, for the compliance reasons, or security policy restrictions adopted in the client company). In this case, it is enough to configure the IP address(-es) of authoritative servers in the Qrator Labs cloud and specify the IP address allocated by Qrator Labs as the address of the authoritative server for the own zone. Also, the scheme with the Hidden Primary NS-server can work, as its data is not available in the public network. With this scenario of connection, the Qrator Labs cloud will act as a recursor server with a cache of data about the client's connected zone.

 

Benefits of Resilient DNS from Qrator Labs

  • High fault tolerance
  • Excellently distributed system
  • Easy to connect
  • Stability of resources’ work
  • Advanced DNS attack mitigation techniques and special bot request processing logic which works differently from the logic of handling the legitimate user requests