Best Current Practices for DNS Resolver Resilience Against Coordinated Amplification Attacks

Introduction The Domain Name System (DNS) has long been used as a vector for reflection and amplification attacks . A sophisticated variant, the Pulsing Denial-of-Service (PDoS) attack , uses intermittent, high-volume traffic bursts. This pattern makes PDoS attacks challenging to detect with conventional traffic analysis, yet they remain highly effective. The "DNSBomb" attack demonstrates a practical method for generating such bursts by exploiting the combined, emergent behavior of standard resolver features. The attack model does not rely on a single protocol vulnerability but on the operational ambiguity in how resolvers should handle a specific sequence of events: a large number of queries from a single source for a domain whose authoritative server is slow to respond. This document specifies best practices for resolver implementations and configurations to mitigate this and similar attack vectors. These practices are designed to limit the ability of an attacker to accumulate and concentrate responses without negatively impacting legitimate use cases. This document acknowledges that the diversity of DNS implementations is a strength and not a weakness. The exact mitigations detailed herein are provided as operational guidance and Best Current Practices, rather than rigid Internet Standards. Implementers are encouraged to adapt these mechanisms to suit their specific architectures.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Terminology

Pulsing DoS (PDoS) Attack:: A Denial-of-Service attack characterized by intermittent, short bursts of high-volume traffic separated by periods of little or no attack traffic.
Query Accumulation:: An attack phase where a resolver receives and holds numerous queries, typically from a spoofed source IP, while awaiting a delayed response from a malicious authoritative nameserver.
Response Concentration:: The near-simultaneous transmission of a large number of DNS responses from a resolver to a single target. This is the culmination of the attack, forming the traffic pulse.
Response Pacing:: A mitigation technique whereby a resolver deliberately de-synchronizes the transmission of a large batch of responses to a single client to prevent a traffic spike.

Attack Model The attack model assumes the adversary can send IP-spoofed DNS queries and controls an authoritative nameserver for a domain. The attack proceeds in three phases:

Accumulation: The attacker sends a low-rate stream of queries for unique subdomains of their controlled domain to one or more recursive resolvers. The source IP address is spoofed to that of the victim. The attacker's authoritative server receives the upstream queries from the resolver but deliberately withholds its response. The resolver's query timeout window (potentially extended by IP defragmentation timeouts ) becomes the accumulation period.
Amplification: The attacker leverages query aggregation within the resolver to minimize the upstream query load on their authoritative server. When the attacker finally responds, it sends a large response, using EDNS(0) to maximize the payload size. This single large response will be used as the basis for responding to all accumulated queries.
Concentration: Upon receiving the single, delayed response, the resolver unblocks all pending client-side queries. Due to optimizations for low latency, many resolvers will transmit all of these responses to the victim's IP address nearly simultaneously, creating a powerful, concentrated traffic pulse.

Problem Statement This attack vector arises from an operational ambiguity in current DNS specifications. While features like query timeouts, aggregation, and fast response are individually beneficial for performance and resilience, their interaction under specific, maliciously crafted conditions is not well-defined. Resolvers lack clear guidance on how to differentiate between a legitimate, large-scale query event (e.g., from a large NAT) and a coordinated attack. This document aims to provide that guidance to reduce the potential for exploitation.

Mitigation Strategies and Operational Guidance To mitigate this attack vector, this document recommends a set of interrelated strategies for resolver software and its operation.

Response Pacing The most direct mitigation for the response concentration phase is Response Pacing. When a resolver is about to send a large number of responses to a single client IP address in a short time window (e.g., as a result of a single upstream answer), it SHOULD introduce a small, randomized delay (jitter) between each response transmission. This technique de-synchronizes the response burst, spreading it out over time and reducing its peak bandwidth. The total delay should be carefully calibrated to avoid a significant performance impact on legitimate clients. Operational Trade-offs: This mechanism may introduce minor latency for legitimate clients behind large-scale NATs. The pacing algorithm should be configurable and potentially adaptive based on the number of responses in the queue.

Guidance on Timeout Values Long upstream query timeouts provide a larger window for query accumulation. It is RECOMMENDED that resolver operators configure shorter timeouts for queries to authoritative servers. A value between 1.5 and 3 seconds is generally sufficient to accommodate most network conditions without providing an excessive window for attackers. Resolver software MAY also implement adaptive timeouts. For example, if an authoritative server is consistently slow, the resolver could dynamically shorten the timeout for subsequent queries to it.

Limiting Query Accumulation Resolvers SHOULD implement a mechanism to limit the number of pending queries that can be accumulated per source IP address (or prefix). A configurable limit on the number of outstanding queries from a single source directly caps the scale of the accumulation phase. Once this limit is reached, the resolver SHOULD either drop new queries from that source or respond immediately with an appropriate error code (e.g., REFUSED) until some of the pending queries are resolved. This is preferable to holding an unbounded number of queries. Operational Trade-offs: A limit that is too low could affect service for users behind large-scale NATs. This limit should be configurable by the operator.

EDNS(0) Buffer Size To limit the amplification factor, it is a standing best practice for resolver operators to configure a conservative EDNS(0) UDP buffer size. A value of 1232 bytes is RECOMMENDED, as this avoids IP fragmentation on most network paths. Operators SHOULD NOT configure larger values without a specific and compelling operational requirement.

Security Considerations The practices described in this document are designed to mitigate a specific attack vector and are not a complete solution for all DNS- based DoS attacks. The effectiveness of these mitigations relies on their combined deployment. Source address validation remains the most fundamental defense against attacks requiring IP spoofing. Network operators are strongly urged to implement ingress filtering as described in BCP 38 and BCP 84 . The mitigations proposed herein involve operational trade-offs between security and performance. For example, Response Pacing adds latency, and strict query accumulation limits may impact legitimate users. Operators must be able to configure these parameters to suit their specific environment. The default settings in resolver software should prioritize resilience. While these measures make individual resolvers more resilient, a sufficiently motivated attacker could still achieve a significant impact by coordinating a very large number of unpatched or misconfigured resolvers. Therefore, broad adoption of these best practices across the community is essential for improving the overall security posture of the DNS.

IANA Considerations This document has no IANA actions.

Contributors The authors of the "DNSBomb" paper, Dashuai Wu, Haixin Duan, and Qi Li, provided the foundational research for the attack vector described in this document.