Picture your website going dark in seconds. No server failure, no coding error, just an attacker flooding your DNS infrastructure with millions of fake queries until it can't respond anymore. That's exactly what happened during the 2013 Spamhaus attack, where DNS requests overwhelmed servers and knocked them completely offline. And with high-bandwidth IoT botnets like Mirai now in the picture, these attacks have only grown more powerful and accessible to bad actors.
The stakes are real for any internet-dependent business. Botnets can conscript thousands, sometimes millions, of compromised devices to sustain an attack. Because DNS is the backbone of how users reach your website, APIs, and web applications, a successful hit doesn't just slow things down. It creates cascading disruption across every service that depends on name resolution.
Here's what you'll find in this guide: exactly how DNS flood attacks work, the variants you need to know about, the warning signs to watch for, and the prevention and mitigation strategies, from rate limiting to anycast DNS distribution, that can protect your core infrastructure before attackers find their opening.
What is a DNS flood attack?
A DNS flood attack is a distributed denial-of-service (DDoS) attack that overwhelms DNS servers with massive volumes of queries, making it impossible to process legitimate traffic. Because DNS translates domain names into IP addresses, taking it down disrupts everything that depends on it: websites, APIs, and web applications all go dark.
Attackers drive these attacks using botnets, sometimes controlling millions of compromised devices, to send relentless UDP-based DNS requests that exhaust server CPU and memory. Spoofed IP addresses hide the true source, making basic filtering ineffective. Attack variants range from query floods and NXDOMAIN attacks to DNS reflection, each targeting a different weak point in the DNS resolution chain.
In simple terms: A DNS flood attack is when attackers flood your DNS server with so many fake requests that it can't respond to real ones, effectively knocking your website and services offline.
How does a DNS flood attack work?
A DNS flood attack works by burying a target server under so many DNS queries that it runs out of CPU and memory, and can't respond to legitimate requests anymore.
Here's the typical sequence. The attacker assembles a botnet, sometimes thousands or millions of compromised devices, including IoT devices from botnets like Mirai. Each device fires a continuous stream of UDP-based DNS queries at the target. Because DNS doesn't require a handshake the way TCP does, requests pile up faster than the server can process them.
Spoofed source IP addresses make the traffic look like it's coming from countless real users. The server can't easily tell fake requests from genuine ones, so it tries to handle everything. Eventually, it buckles.
The damage doesn't stop at the DNS server, either. Any service that depends on DNS resolution, your web app, your APIs, your login systems, stops working too. Secondary services fail even though they were never directly targeted.
In simple terms: Attackers use thousands of hijacked devices to flood your DNS server with fake requests until it's too busy to answer real ones, bringing down everything that relies on it.
What are the main types of DNS flood attacks?
DNS flood attacks aren't one-size-fits-all. There are several distinct variants, each targeting a different weakness in DNS infrastructure. Knowing the difference matters, because what you're defending against shapes how you defend it.
- DNS query flood: The bluntest approach. A botnet hammers the target server with massive volumes of standard DNS queries until CPU and memory are exhausted and legitimate requests can't get through. No tricks, no amplification, just raw, overwhelming volume.
- DNS reflection attack: Here, attackers spoof the victim's IP address and send queries to open DNS resolvers. Those resolvers send their responses straight to the victim, flooding it with DNS replies it never actually requested.
- DNS amplification attack: Think of this as reflection with a multiplier. Attackers use query types like ANY or DNSSEC records that return large responses from small requests, so the traffic hitting the victim is many times the size of what the attacker sent.
- NXDOMAIN attack: Attackers flood the server with requests for domains that don't exist. The authoritative name server responds with NXDOMAIN errors each time, and the resolver's cache fills up with those error responses until it can't handle requests for real domains anymore.
- Random subdomain attack: Sometimes called a "water torture" attack. Attackers combine valid domain names with randomized, nonexistent subdomains, think `abc.example.com`, `def.example.com`, forcing the authoritative name server to process every single one. It's particularly nasty because the queries look almost legitimate, making them harder to filter.
- TCP SYN-based DNS flood: Less common, but worth knowing. Some attackers target DNS servers over TCP rather than UDP, initiating connections that never complete. Instead of overwhelming processing capacity, this ties up connection resources.
| Attack type | What it does | Best for attackers when |
|---|---|---|
| DNS query flood | Overwhelms server with raw query volume | Large botnets are available |
| DNS reflection attack | Redirects resolver responses to the victim | Spoofing source IPs is easy |
| DNS amplification attack | Multiplies traffic using large DNS responses | increasing damage with less bandwidth |
| NXDOMAIN attack | Overflows resolver cache with error responses | Targeting authoritative name servers |
| Random subdomain attack | Forces authoritative servers to process junk queries | Bypassing caches and rate limits |
| TCP SYN-based DNS flood | Exhausts TCP connection resources | Targeting connection-limited servers |
What are the warning signs of a DNS flood attack?
DNS flood attacks show up in a few clear ways: server behavior, traffic patterns, and what your users actually experience. Spot them early and you've got a real shot at limiting the damage.
- Spike in query volume: Your DNS server suddenly gets far more queries than normal, often orders of magnitude above baseline. It's the most direct indicator you'll see. Any monitoring tool tracking queries per second will catch this immediately.
- High CPU and memory usage: These attacks are designed to exhaust server resources. If your DNS server's CPU or memory climbs sharply without a matching rise in legitimate traffic, that's worth investigating right away.
- Surge in NXDOMAIN responses: A sudden jump in non-existent domain responses points to an NXDOMAIN or random subdomain attack. Your server is burning resources answering requests for domains that simply don't exist.
- Slow or failed DNS resolution: Users start reporting that websites won't load or take forever to resolve. Because DNS sits at the foundation of nearly every web request, degraded resolution drags everything downstream with it.
- Unusual traffic from unfamiliar IP ranges: Botnets spread requests across thousands or millions of compromised devices. High query volumes from geographically scattered or unfamiliar IP addresses? That pattern is worth flagging.
- Resolver cache overflow: Your resolver's cache fills faster than it should, particularly with error responses. This is a classic sign of an NXDOMAIN attack pushing out legitimate cached records.
- Increased UDP traffic volume: DNS flood attacks are a variation of UDP flood attacks. A sharp rise in UDP traffic hitting port 53 is one of the clearest network-level signals you'll get.
- Ripple effects on dependent services: DNS failure rarely stays contained. If APIs, web applications, or other services start failing without an obvious cause, trace it back to DNS resolution first.
| Warning sign | What it indicates | Best detected by |
|---|---|---|
| Spike in query volume | Raw volumetric attack in progress | Queries-per-second monitoring |
| High CPU and memory usage | Server resources being exhausted | Server performance dashboards |
| Surge in NXDOMAIN responses | NXDOMAIN or random subdomain attack | DNS response code analysis |
| Slow or failed DNS resolution | Legitimate traffic being blocked | User reports and uptime monitoring |
| Unusual traffic from unfamiliar IPs | Botnet activity across compromised devices | IP traffic and geo-distribution logs |
| Resolver cache overflow | Cache being flooded with error responses | Cache utilization metrics |
| Increased UDP traffic on port 53 | Classic DNS flood at network level | Network traffic analysis tools |
| Ripple effects on dependent services | DNS failure cascading downstream | Application and API health checks |
What are the effects of a DNS flood attack?
DNS flood attacks don't just slow things down. The damage cascades across your entire infrastructure in ways that go well beyond the DNS server itself. Here's what you're actually dealing with when one hits.
- Service unavailability: Your website, APIs, and web applications stop responding entirely. DNS translates domain names to IP addresses, so if resolution fails, users can't reach your services even if your origin servers are perfectly healthy.
- Exhausted server resources: These attacks are designed to drain CPU and memory on your DNS servers. Under sustained query load, servers slow to a crawl or crash outright, leaving no capacity to handle legitimate requests.
- Cache poisoning and overflow: High volumes of NXDOMAIN responses push legitimate cached records out of your resolver's cache. Rebuilding that cache takes time, and during that window, resolution slows for everyone.
- Degraded application performance: Even partial DNS disruption affects every service that depends on name resolution, including databases, microservices, and third-party integrations. What looks like an application problem often traces back to DNS.
- Cascading downstream failures: If your DNS infrastructure serves multiple domains or services, a single flood attack can take all of them down at once. The ripple effects spread fast.
- Increased infrastructure costs: Absorbing a large-scale attack burns bandwidth and compute resources. If you're on consumption-based pricing, that traffic spike translates directly into unexpected costs.
- Difficult attack attribution: Attackers use spoofed IP addresses and distributed botnets, sometimes millions of compromised devices, to obscure the source. That makes blocking and forensic analysis significantly harder.
| Effect | What it does | Best for |
|---|---|---|
| Service unavailability | Blocks all DNS-dependent user access | Understanding business impact |
| Exhausted server resources | Crashes or stalls DNS servers | Capacity planning |
| Cache overflow | Flushes legitimate records from resolver | Diagnosing resolution slowdowns |
| Degraded application performance | Breaks services that rely on DNS | Root cause analysis |
| Cascading downstream failures | Takes multiple services offline at once | Multi-domain infrastructure owners |
| Increased infrastructure costs | Spikes bandwidth and compute spend | Budget and cost monitoring |
| Difficult attack attribution | Slows response due to spoofed sources | Incident response planning |
How to prevent and mitigate DNS flood attacks?
Preventing and mitigating DNS flood attacks takes a combination of proactive infrastructure hardening and real-time traffic filtering. No single measure is enough on its own.
- Deploy rate limiting on your DNS servers. Configure your DNS infrastructure to cap the number of queries accepted from any single IP address within a defined time window. It won't stop a distributed attack entirely, but it reduces the per-source impact and buys your servers breathing room during the initial surge.
- Enable Anycast DNS routing. Anycast spreads incoming query traffic across multiple geographically distributed nodes, routing each request to the nearest available server. Instead of one server absorbing the full attack volume, the load distributes across your entire network, making it much harder for attackers to saturate any single point.
- Use behavioral-based DDoS protection. Static filtering rules can't keep up with modern attacks. Behavioral detection analyzes query patterns in real time and flags anomalous traffic, such as sudden spikes in NXDOMAIN responses or randomized subdomain queries, before they exhaust your server resources.
- Redirect attack traffic through cloud-based scrubbing. During a large-scale flood, route your DNS traffic through a cloud DDoS mitigation service. Scrubbing centers filter malicious traffic upstream, so only clean queries reach your authoritative servers. The 2013 Spamhaus attack was ultimately contained this way.
- Overprovision your DNS capacity. Size your DNS infrastructure (bandwidth, CPU, and memory) well above your expected peak traffic. Attackers must generate and sustain a proportionally larger attack volume to overwhelm overprovisioned servers, which raises the cost and complexity of a successful attack.
- Apply geographic blocking where appropriate. If your user base is concentrated in specific regions, block or throttle traffic from countries where you have no legitimate users. It won't stop a globally distributed botnet, but it can meaningfully reduce attack volume in many scenarios.
- Monitor for NXDOMAIN spikes. Set up alerting on your DNS resolver for unusual rates of non-existent domain responses. A sudden spike in NXDOMAIN traffic is a reliable early indicator of a water torture or random subdomain attack. Catching it early gives you time to respond before your cache overflows.
The key thing is layering these defenses. Rate limiting and over-provisioning help absorb attacks. Anycast and scrubbing distribute and filter them. Monitoring ensures you're not responding blind. Relying on any one technique leaves gaps that attackers will find.
How can Gcore help protect against DNS flood attacks?
Gcore protects against DNS flood attacks through its DDoS protection service, which scrubs malicious query traffic before it reaches your authoritative DNS servers. The Gcore network spans 210+ PoPs globally, so attack traffic gets absorbed and filtered at the edge, close to the source, rather than being funneled toward Gcore infrastructure.
When volumetric attack floods hit, behavioral detection identifies anomalous query patterns in real time, including NXDOMAIN spikes and randomized subdomain floods, and blocks them without touching legitimate traffic. You get protection that adapts to the attack as it evolves, not just a static ruleset that attackers can work around.
Explore our DDoS protection service
Frequently asked questions
What is the difference between a DNS flood attack and a DNS amplification attack?
A DNS flood attack is symmetrical: it overwhelms your DNS server with raw query volume to exhaust its CPU and memory. A DNS amplification attack works differently. It's asymmetrical, using spoofed requests to trick misconfigured third-party DNS servers into sending massive responses to a target, turning small queries into large-scale traffic floods.
How long does a DNS flood attack typically last?
DNS flood attacks vary widely in duration, from a few minutes to several days, depending on the attacker's resources and goals. Botnet-driven attacks using large IoT networks tend to last longer, since attackers can sustain high query volumes without significant cost.
Can a DNS flood attack be stopped completely?
No, a DNS flood attack can't be stopped completely. But the right combination of rate limiting, anycast DNS distribution, and cloud-based traffic filtering can reduce the impact enough that your services stay available even under heavy attack.
What is the difference between a DoS and a DDoS DNS flood attack?
A DoS attack comes from a single source. A DDoS DNS flood uses a botnet of thousands (sometimes millions) of compromised devices sending queries all at once, which makes it far harder to block. You can't just filter one IP address and call it done.
How does DNS flood protection work at the network level?
At the network level, DNS flood protection combines rate limiting, Anycast routing, and traffic filtering to absorb and distribute attack traffic before it reaches your authoritative name servers. Anycast spreads incoming queries across multiple nodes globally, so no single server bears the full load. That matters a lot during high-volume UDP floods targeting your DNS infrastructure.
Is DNS flood protection included in standard DDoS mitigation services?
Yes, DNS flood protection is included in most standard DDoS mitigation services. That's because DNS infrastructure is a primary attack target. Most providers cover all the major attack variants, query floods, NXDOMAIN attacks, and amplification attacks, across all three phases of an attack.
What industries are most commonly targeted by DNS flood attacks?
Any internet-dependent industry can be a target, but gaming, financial services, e-commerce, and DNS/hosting providers face the highest attack frequency. Their reliance on continuous uptime means even brief outages have direct revenue impact, making them attractive targets.
Related articles
Your database gets compromised. Customer records disappear. Credit card data ends up for sale on the dark web. SQL injection attacks remain one of the most prevalent web application vulnerabilities in 2024, consistently appearing in top ten
You click a link in what looks like a routine email from your bank, and within seconds, $5,000 vanishes from your account, transferred to a stranger while you were simply logged in to your banking app. Many legacy web applications have vuln
Subscribe to our newsletter
Get the latest industry trends, exclusive insights, and Gcore updates delivered straight to your inbox.