Improving DNS cache to alleviate the impact of DNS DDoS attack

Wei-min LI, Xiao-guang CAO, Fang LIU, Zhen-ming LEI
2011 Journal of Networks  
In recent years, adversaries have been launching distributed denial of service (DDoS) attacks aimed at DNS (Domain Name System) servers in various levels, and since the DNS is a most critical fundamental service of the Internet that provides mapping between domain names and IP addresses and a prerequisite for many other services, DDoS attacks successfully causing the unavailability of DNS could bring huge losses. In this paper, we present an easily implemented and practical scheme that can
more » ... cheme that can significantly alleviate the impact of the DNS DDoS attacks. Firstly, we propose interactive communications among DNS servers to obtain status information of others and with the premise we support that nameservers should not clean-up TTL-expired domain-name records in the cache when they detected that relevant nameservers are unavailable. Secondly, an evaluation based on the data of 511,781,146 DNS queries collected from four different DNS servers on the Internet shows that the DNS could still works well in the duration of a DDoS attack by applying our approach. And further, a long term DNS analysis of about 173 days proves the prerequisite for the validity of our project on the Internet today.
doi:10.4304/jnw.6.2.279-286 fatcat:luat2ijctfg5xkwnez3qju6xou