Distributed Denial of Service (DDoS) attacks can slow down or interrupt domain name resolution. The Anti-DDoS Protection feature of Alibaba Cloud DNS safeguards your domain names and ensures your resolution service remains available.
Protection levels
Alibaba Cloud DNS offers two protection levels. You can choose one based on your business needs.
Protection level | Mitigation capabilities | Scenarios |
DNS Anti-DDoS Basic | Protects all domain names in the instance against DNS attacks, with a mitigation capacity of up to 10 million QPS. | Suitable for services that face moderate-intensity DNS attacks. |
DNS Anti-DDoS Advanced | Protects all domain names in the instance against DNS attacks, including large-scale attacks that exceed 100 million QPS. | Suitable for core services that require high business continuity, such as finance, gaming, and e-commerce, or services that are frequently targeted by large-scale attacks. |
Usage notes
This feature is available only for paid Alibaba Cloud DNS instances. If your domain name is on the free resolution plan, you must upgrade to a paid edition to enable this feature.
Enable Anti-DDoS Protection
Go to Public Zone DNS Firewall.
The Anti-DDoS Protection tab is selected by default. This tab displays a list of domain names managed by Public Zone.
The domain name list includes the Domain name, Protection Status, Mitigation capabilities, and Actions columns. If the protection status is "Not enabled, security risk exists", click Enable Protection in the Actions column.
Find the target domain name and click Enable Protection in the Actions column. In the panel that appears, select your specifications, fill out the form, and complete the purchase.
Scenario 1: The domain name uses the free edition of Public Zone
You must upgrade the resolution service to a paid edition and then select a DNS protection level.
In the edition selection panel, select a paid edition of Public Zone.
In the DNS Security section, select DNS Anti-DDoS Basic or DNS Anti-DDoS Advanced.
Confirm the order information and complete the purchase.
On the purchase page, set Instance type to Authoritative Hosted Zone and Edition to Personal Edition. In the DNS Security section, select DNS Anti-DDoS Basic (mitigates up to 10 million QPS), and set the Number of domain names and the Subscription duration.
Scenario 2: The domain name already uses a paid edition of Public Zone
You can directly purchase and add the DNS protection feature. Note: The subscription duration matches the remaining duration of your Public Zone instance, and the cost is prorated accordingly.In the DNS Security section of the edition selection panel, select DNS Anti-DDoS Basic or DNS Anti-DDoS Advanced.
Confirm the order information and complete the purchase.
Return to the Anti-DDoS Protection page. The domain name's Protection Status will now be Enabled.
Security dashboard
After enabling protection, you can monitor your domain name's security status and view attack data and history on the Security Dashboard page.
Click Public Zone DNS Firewall and select the target domain name to view information such as its resolution status, the DNS Protection Statistics graph (supports querying data from the last 7 days), and the DNS Protection History.
Domain name resolution status: If your DNS is under attack, an alert is displayed here, and you will receive a notification by text message or email.
DNS Protection Statistics: If your DNS is under attack, this section shows a QPS trend graph of abnormal requests.
DNS Protection History: This log lists the Time (UTC+8), Protection Result, and Abnormal Query QPS for each attack event.
Billing
Anti-DDoS Protection is a value-added service that requires a separate purchase. For pricing details, see Product Billing.
If you add the protection feature to a domain name that is already associated with a paid Public Zone instance, the subscription duration of the protection feature matches the remaining duration of the instance. The cost is prorated to ensure that both services expire at the same time.
To see the pricing for the paid editions of Public Zone, refer to Product Billing.
Protection statuses
During a DNS query attack, the DNS protection status can be one of the following: Traffic Scrubbing Started, Traffic Scrubbing Ended, Blackhole Filtering Started, or Blackhole Filtering Ended.
Traffic Scrubbing Started: If the DNS security system detects that your domain name is under a sustained attack with a high volume of abnormal requests, it enables a traffic scrubbing policy. This policy drops DNS queries from abnormal sources.
Traffic Scrubbing Ended: If the DNS security system detects a decrease in abnormal requests for your domain name, it disables the traffic scrubbing policy.
Blackhole Filtering Started: If the DNS security system detects a sustained, high-volume attack with abnormal requests that exceeds the mitigation capacity of your current edition, it disables DNS resolution for that domain name.
Blackhole Filtering Ended: During blackhole filtering, if the DNS security system detects that the volume of abnormal requests for your domain name has fallen within the mitigation capacity, it automatically resumes resolution. The change takes effect after the TTL expires.