DNS is a core technology on the Internet and is used in important services, such as web and email. You must ensure the security of DNS to safeguard your applications on the Internet.
Alibaba Cloud DNS protects your domain names against distributed denial of service (DDoS) attacks.
DDoS attacks send a massive number of requests from a botnet to exhaust system resources of a network. As a result, the attacked network cannot process normal business requests. DDoS often takes place in the form of flood attacks. Attackers send a massive number of DNS queries to a network to occupy all bandwidth resources, so the network is not able to transmit normal DNS queries.
Alibaba Cloud DNS provides the following levels of protection against DDoS attacks:
Basic DNS attack defense: available for all domain names bound to a paid edition of Alibaba Cloud DNS. It protects your domain names against up to 10 million DDoS attack requests per second. You can select this level of protection to defend against regular DDoS attacks.
Advanced DNS attack defense: available for all domain names bound to a paid edition of Alibaba Cloud DNS. It protects your domain names against over 100 million DDoS attack requests per second. You can select this level of protection if your business frequently suffers from heavy DDoS attacks.
DNS protection is automatically enabled for your domain names. You do not need to manually configure it. Follow these steps to view the protection details:
1 . Log on to the Alibaba Cloud DNS console.
2 . On the Manage DNS page, click the Domains tab, and click a domain name.
3 . In the left-side navigation page of the DNS Settings page, click DNS Protection.
4 . On the DNS Protection page, view the information shown in the following figure.
When a DDoS attack occurs, Alibaba Cloud DNS starts to protect your domain names against the attack. The protection states include Start scrubbing, Stop scrubbing, Black hole enabled, and Black hole disabled.
Start scrubbing: If the DNS protection system detects that your domain names receive an abnormally large number of requests, it enables the scrubbing policy. This policy stops the DNS servers from responding to abnormal requests.
Stop scrubbing: If the DNS protection system detects that the abnormal requests are decreasing, it disables the scrubbing policy.
Black hole enabled: If the DNS protection system detects that your domain names continue to receive a large number of abnormal requests that exceed its defense capability, it enables the black hole. The black hole stops the DNS servers from responding to all requests that are sent to your domain names.
Black hole disabled: After the black hole is enabled, if the DNS protection system detects that the number of abnormal requests decrease to a range within its defense capability, it disables the black hole. This allows the DNS servers to respond to domain name requests again. However, the DNS servers start to resolve the domain names only after the TTL expires.