DNS Query Floods are a type of application layer Distributed Denial of Service (DDoS) attack that targets the Domain Name System (DNS). Attackers flood DNS servers with a high volume of requests, overwhelming the server’s resources and preventing legitimate users from accessing the intended domain. These attacks can disrupt critical services and cause widespread outages.
How DNS Query Floods Work
In a DNS Query Flood attack, the attacker sends a massive number of DNS requests to a target server. The requests often appear legitimate, making it difficult to distinguish between normal and malicious traffic. Attackers may use botnets to amplify the attack, sending requests from multiple compromised devices. The server becomes overloaded as it attempts to process the large volume of queries, leading to performance degradation or complete unavailability.
What DNS Query Floods Look Like in Logs
1. High Volume of Requests
The server logs show a sudden spike in DNS requests, often from multiple IPs.
Log Example (DNS Server Logs):
[Nov 21 17:10:01] QUERY: client 192.168.1.101#12345: query: example.com A IN
[Nov 21 17:10:01] QUERY: client 192.168.1.102#12346: query: example.com A IN
[Nov 21 17:10:01] QUERY: client 192.168.1.103#12347: query: example.com A IN
[Nov 21 17:10:01] QUERY: client 192.168.1.104#12348: query: example.com A IN
Signs:
- A sudden increase in the number of requests to the same domain.
- Requests originating from multiple IP addresses.
2. Targeting Specific Record Types
Attackers may focus on specific DNS record types, such as A, MX, or ANY, to increase server workload.
Log Example (DNS Server Logs):
[Nov 21 17:11:00] QUERY: client 192.168.1.110#12350: query: example.com ANY IN
[Nov 21 17:11:01] QUERY: client 192.168.1.111#12351: query: example.com ANY IN
[Nov 21 17:11:02] QUERY: client 192.168.1.112#12352: query: example.com ANY IN
Signs:
- Repeated queries for resource-intensive record types like
ANY. - Uniform query patterns across multiple IPs.
3. Spoofed Source IPs
Attackers may use spoofed IP addresses to hide their identity and increase the attack’s complexity.
Log Example (Firewall Logs):
[Nov 21 17:12:00] SRC=10.0.0.1 DST=192.168.1.100 PROTO=UDP SPT=12345 DPT=53 QUERY=example.com
[Nov 21 17:12:01] SRC=172.16.0.1 DST=192.168.1.100 PROTO=UDP SPT=12346 DPT=53 QUERY=example.com
[Nov 21 17:12:02] SRC=192.0.2.1 DST=192.168.1.100 PROTO=UDP SPT=12347 DPT=53 QUERY=example.com
Signs:
High variability in the source addresses.
Source IPs are random or unreachable.