All Products
Search
Document Center

Alibaba Cloud DNS:DNS protection

Last Updated:Nov 28, 2023

Overview

Domain Name System (DNS) is a core technology on the Internet and is important for accessing many network services, such as websites and emails. You must ensure the security of DNS to safeguard your applications on the Internet.

Alibaba Cloud DNS protects your domain names against DDoS attacks. DDoS attacks are a massive number of requests from botnets to exhaust the system resources of networks so that the attacked networks cannot process normal user requests. Flood attacks are a major form of DDoS attacks. A massive number of DNS requests are sent to networks to occupy all bandwidth resources. As a result, normal DNS requests cannot be forwarded.

Alibaba Cloud DNS provides the following levels of protection against DDoS attacks:

  • Basic DNS attack defense: available for all domain names bound to a paid instance of Alibaba Cloud DNS. It protects your domain names against up to 10 million DDoS attacks per second. You can select this level of protection to defend against regular DDoS attacks.

  • Advanced DNS attack defense: available for all domain names bound to a paid instance of Alibaba Cloud DNS. It protects your domain names against over 100 million DDoS attacks per second. You can select this level of protection if your services frequently suffer from serious DDoS attacks.

Procedure

After you enable the DNS protection feature, you do not need to manually configure it. Perform the following steps to view the DNS protection details:

  1. Log on to the Alibaba Cloud DNS console.

  1. On the Authoritative Domain Names tab of the Domain Name Resolution page, click the desired domain name. The DNS Settings page appears.

  1. On the DNS Settings page, click the DNS Protection tab.

  1. On the DNS Protection page, you can view the DNS resolution status, DNS protection statistical chart, and DNS protection history. On the DNS protection statistical chart, you can retrieve data within the last seven days.

    DNS resolution status: If DNS servers are under attack, alerts are displayed in this section, and you are notified by Short Message Service (SMS) messages or emails.

    DNS protection statistical chart: If DNS servers are under attack, this section displays the trend chart of the abnormal requests per second.

    DNS protection history: You can view historical logs that contain data such as the protection time, protection result, and abnormal requests per second.

Protection status

When a DDoS attack occurs, Alibaba Cloud DNS starts to protect your domain names against the attack. The protection states include Start scrubbing, Stop scrubbing, Black hole enabled, and Black hole disabled.

  • Start scrubbing: If the DNS protection feature detects that a massive number of abnormal DNS requests for your domain names are sent to DNS servers, it enables the scrubbing policy. This policy stops the DNS servers from responding to abnormal requests.

  • Stop scrubbing: If the DNS protection feature detects that the abnormal requests are decreasing, it disables the scrubbing policy.

  • Black hole enabled: If the DNS protection feature detects that a massive number of abnormal DNS requests for your domain names are continuously sent to DNS servers, which exceed the defense capability of the feature, the feature enables the blackhole filtering policy. The blackhole filtering policy stops the DNS servers from responding to all requests for the domain names.

  • Black hole disabled: After the blackhole filtering policy is enabled, if the DNS protection feature detects that the number of abnormal requests decreases to a range within its defense capability, it disables the blackhole filtering policy. This allows the DNS servers to respond to DNS requests again. However, the DNS servers start to resolve the domain names only after the time-to-live (TTL) expires.