Cloud WAF DNS DDoS Protection Feature
A Distributed Denial of Service (DDoS) attack is an attempt to make a machine or
network resource unavailable to its intended users, perpetrated by several people or
bots. A common method of carrying out a DDoS attack is to flood the target site with so
many extraneous requests that it cannot handle requests from legitimate users.
A Domain Name System (DNS) server is an internet server responsible for translating
logical domain addresses (aka..www.domain.com) into IP addresses (aka. 220.127.116.11), thus allowing internet users to communicate
with the domain. DDoS attacks can target DNS servers as well as HTTP servers. Causing a
site’s DNS server to be unresponsive can block all access to the site.
Cloud WAF (FORMERLY Incapsula) DNS DDoS Protection feature prevents DDoS attacks on its customers’ DNS
servers by limiting the number of DNS resolution requests that can arrive at the DNS
server, and by filtering requests according to the customer’s definition of valid requests.
The following diagram illustrates how the Cloud WAF DNS DDoS Protection feature
When Cloud WAF DNS DDoS Protection feature is enabled, Cloud WAF becomes the authoritative Name Server for your domain, instead of the original DNS server. Your zone file continues to reside on the original DNS server. DNS resolution requests are referred to Cloud WAF. Cloud WAF maintains a cache of DNS records, so that most replies are retrieved from the cache and don’t require referring to the DNS server at all. Requests that can’t be resolved using cached information are passed on to the DNS server, while being filtered according to the domain’s security settings. Any DDoS attacks are stopped at the Cloud WAF layer, and the customer’s DNS server is protected.
When Cloud WAF is defined as the customer’s authoritative Name Server, the workflow above remains the same regardless of whether the customer’s DNS server is internal or belongs to a 3rd-party provider.
Not all 3rd-party services allow you to continue editing your zone file when they are not configured as the authoritative name server. If you wish to continue using a 3rd-party authoritative name server, please consult with Cloud WAF support team.
The following sections describe how to enable Cloud WAF DNS DDoS Protection for your domain, and how to configure the related settings.
Adding DNS Zones to Cloud WAF
To enable Cloud WAF DNS DDoS Protection for your DNS:
1. In the Cloud WAF (aka. MY) administration console, click DNS Zones.
2. Click the button . The Add DNS Zone dialog is displayed.
3. In the Domain field, type the name of your domain and click . The Change your DNS records page is displayed.
4. Copy the unique key displayed on this page to a text record in your zone file.
This allows Cloud WAF to verify that you are the owner of this zone file.
5. Click . The Change your DNS Records page is displayed.
6. Update the name servers to reflect the list displayed on this page.
7. Click .
Configuring DNS Zone Settings
After adding your DNS zone, you can view and configure the DNS DDoS Protection settings by clicking on your zone name in the Name column in the DNS Zones page.
NOTE: After making any change to DNS Zone settings, click to save your changes.
Origin NS Records
To view the Origin NS Records page, click in the menu on the left. Initially, this page will show the Name Server records that were retrieved from your zone file. You can edit this list at any time.
To edit an NS record:
Click the button to the right of the record. The Edit NS Record dialog is displayed.
Type the IP address or NS name for your origin DNS server.
To delete an NS record:
Click to the right of the record.
To add a new NS record:
Click . The Add New NS Record dialog is displayed.
Type the IP address or NS name for your origin DNS server.
To view the General page, click in the menu on the left. The General page shows both the Original NS Settings, i.e. the original NS records as they appeared in your zone file, and the DNS Settings for Cloud WAF, i.e. the new records that map logical site addresses to Cloud WAF servers. This view is informational only and its contents cannot be edited.
To view the Security page, click in the menu on the left. The Security page allows you to view and edit settings that determine how Cloud WAF protects your DNS server.
The Domain Settings section contains parameters related to the rate of processed DNS resolution requests. These are the available settings:
Maximum incoming query rate (on Incoming Traffic) – the number of DNS queries per second that Cloud WAF considers a DDoS attack. If this rate is reached or exceeded, a DDoS alert is triggered, and Cloud WAF enforces the two outgoing rate thresholds described below.
Rate limit on outgoing queries - total - the total number of DNS queries per second that Cloud WAF will pass on to the customer’s DNS server when a DDoS attack is identified.
Rate limit on outgoing queries – non-safe - the total number of non-safe DNS queries per second that Cloud WAF will pass on to the customer’s DNS server when a DDoS attack is identified.
Safe queries are queries that the customer has defined as valid (see below). All other queries are non-safe.
The Safe Queries section lists the queries that the customer has defined as valid. Only these queries will be passed on to the customer’s DNS server. This prevents a form of DDoS attack whereby the attacker generates many distinct, random logical addresses that refer to non-existent zones on the target site. This is intended to circumvent DNS record caches since the queried address has never been encountered before.
To edit a Safe Query:
Click the button to the right of the query. The Edit Query dialog is displayed.
Type in the query name. For example: subdomain1.mydomain.com.
To delete a Safe Query:
Click to the right of the query.
To add a new Safe Query:
Click . The Add Query dialog is displayed.
Type in the query name. For example: subdomain1.mydomain.com
To view the Caching page, click in the menu on the left. Cloud WAF manages a cache of DNS records. Each DNS record has a TTL (Time To Live) value that is retrieved from the origin DNS server. When the TTL period expires, the DNS record is retrieved again from the origin DNS server, and the TTL timer is reset. But you may want to initiate a cache purge immediately after a change to your site’s servers, addresses or zones. You can purge all DNS records, or purge specific DNS records.
To purge all DNS records:
1. Click . The purge confirmation dialog is displayed.
2. Click . The following message is displayed:
To purge a specific DNS record:
1. Click . The Purge Specific Resource dialog is displayed.
2. In the DNS Record Type dropdown, choose the record type you want to purge.
3. In the DNS Record Name field, type the name of the record you want to purge.
4. Click .