The Domain Name Service translates domain names into computer-readable IP addresses.

Common DDoS Attacks
DDoS Attack Tools
DDoS Glossary of Terms


Learning Objectives

After reading this article you will be able to:

  • Define DNS
  • Understand how a DNS request works
  • Understand how DDoS attackers target DNS vulnerabilities

What is DNS?

DNS is often referred to as the phonebook of the internet, when a user types a web address into their browser, DNS is what connects that user with the web site they are seeking. DNS stands for Domain Name System, and the DNS maintains a directory of every website on the internet.

A computer can only find a website using it’s IP address, which is a long, punctuated string of numbers, such as in the older IPv4 format, or 2400:cb00:2048:1::c629:d7a2 in the new IPv6 . These addresses can be hard for humans to remember, and on top of that, the IP addresses for some websites are dynamic and can change periodically. DNS makes it easier for people to access websites by letting them use human-friendly web addresses, also known as URLs.

For example, a current IPv6 IP address for Cloudflare.com is 2400:cb00:2048:1::c629:d7a2. Instead of memorizing that address, a user can type ‘www.cloudflare.com’ into their browser. When that happens, the browser sends out a request to DNS, and DNS returns a response telling the browser the IP address of that website, and the browser then sends a request to that IP address which responds with the website’s data.

How does a DNS request work?

DNS servers are set up in a distributed hierarchy, meaning the data is spread out over several computers. When a client makes a DNS request, the request is handled by a recursive resolver, which is a DNS server that starts a series of communications with other DNS servers until it finds the requested IP address, returning it to the client. Recursive resolvers can also cache DNS records, making frequently accessed records more readily available.

DNS and DDoS Attacks

There are two popular DDoS attacks that utilize DNS servers: DNS amplification attacks and DNS flood attacks.

  • DNS amplification attacks are reflection-based DDoS attacks where the attacker sends spoofed look-up requests to an open DNS server, and the server then sends the responses back to a targeted victim. The attack is amplified because the request data sent by the attacker is smaller than the response data received by the victim. Learn more about DNS amplification attacks.
  • In a DNS flood attack, the attackers attempt to overwhelm the DNS servers for a particular zone in an attempt to disrupt legitimate traffic to that zone. This type of attack is generally done by using a botnet to overwhelm a DNS resolver with lookup requests. Learn more about DNS flood attacks.

What else does the Domain Name System do?

The DNS also defines the DNS Protocol, which is a detailed specification of communication exchanges and data structures used in the DNS. This falls under the Internet Protocol Suite (TCP/IP). Additionally, The DNS maintains a master Blackhole List of IP addresses known for sending out spam email. Mail servers can be configured based on this list to flag or reject messages suspected to be spam.