This topic answers frequently asked questions about DNS security.
General questions
Q: What is DNS security in the paid editions of Alibaba Cloud DNS?
A: DNS security provides attack prevention for domain names that are attached to a paid edition of Alibaba Cloud DNS. This feature primarily protects against DNS query flood attacks. In a DNS query flood attack, an attacker sends many domain name resolution requests to the DNS server of the targeted domain name. This attack creates a high query payload on the DNS server. If the number of domain name resolution requests per second exceeds a certain threshold, the DNS server may time out or even crash. As a result, clients cannot resolve the IP address of the domain name, which makes the website or service inaccessible.
Q: Does the Free Edition of Alibaba Cloud DNS provide attack prevention?
A: No. DNS attack prevention is not available in the Free Edition.
Q: Does Alibaba Cloud DNS support DNSSEC?
A: Yes, it does. Domain Name System Security Extensions (DNSSEC) is a mechanism provided by the Internet Engineering Task Force (IETF) for DNS validation. DNSSEC uses digital signatures based on public key encryption to strengthen DNS validation and add a layer of security protection to the DNS infrastructure. This feature helps ensure that visitors are correctly directed to your web server and protects against DNS hijacking and cache poisoning.
Q: Does DNS security protect against DNS flood attacks?
A: Yes, it does. To use the DNS security feature, you must have purchased the DNS Security service for the paid instance to which your domain name is attached. You can add this service when you purchase the instance. During a DNS flood attack, different protection levels offer varying degrees of protection:
Basic DNS Attack Defense: Provides basic DNS attack protection for all domain names attached to a paid instance. The protection threshold is 10 million queries per second (QPS). This level is suitable for general DNS attack prevention.
Full DNS Attack Defense: Provides comprehensive DNS attack protection for all domain names attached to a paid instance. This level can withstand over 100 million DNS QPS and is suitable for scenarios with frequent and critical DNS attacks.
For more information, see the DNS security document.
Q: What are the protection scope and service capabilities of DNS security?
A: DNS security provides two protection levels: Basic DNS Attack Defense and Full DNS Attack Defense. The Basic DNS Attack Defense level has a protection threshold of 10 million QPS. The Full DNS Attack Defense level can withstand over 100 million QPS.
Q: Is the DNS security service billed based on the validity period of the paid edition?
A: Yes. The service covers attacks that occur during the validity period of your paid Alibaba Cloud DNS instance.
Q: If I purchase the DNS security service, where can I view the attack protection data?
A: You can view DNS protection data in the Alibaba Cloud DNS console. For more information, see the DNS security document.
Q: What should I do if a DNS attack exceeds the threshold of the Full DNS Attack Defense level?
A: In this situation, contact us by submitting a ticket.