Name Server Protection – Introduction

Incapsula’s Name Server Protection allows organizations to protect DNS servers from DDoS attacks. With Name Server Protection enabled, all DNS queries are first processed by Incapsula to filter out DDoS attacks before being forwarded to the origin name server.

Name Server Protection also provides DNS acceleration and load reduction benefits by acting as a private network for DNS proxy caching deployed in the Incapsula CDN network.

Benefits

  • Protection from Layer 3 and 4 attacks targeting DNS servers
  • Protection for DNS specific attacks such as NX domain and DNS amplification
  • A global network of DNS caching proxies that accelerates DNS responses

How Does Name Server Protection Work?

Incapsula’s Name Server Protection is based on a network of secure DNS proxies deployed on our globally distributed CDN. Each protected DNS zone receives a unique set of alternative name server hostnames. Once the DNS zone is updated with the Incapsula hostnames, any DNS query related to that zone will be directed to the Incapsula network.

DDoS Mitigation

Name servers using Web Protection are protected from any DDoS attack, both network (Layer 3 and 4) and application (Layer 7) attacks. Incapsula’s secure DNS proxy terminates TCP and UDP connections, acting as a buffer between the Internet and the origin name server and filtering out any kind of DDoS attack, such as SYN floods and UDP floods. Only legitimate DNS queries are forwarded to the origin server. Layer 7 DDoS attacks are mitigated by a dedicated engine that can distinguish between legitimate DNS queries and DDoS attempts. This engine leverages proprietary algorithms that can flag and drop malicious queries.

DNS Caching

Incapsula’s DNS proxies are distributed worldwide in every data center and provide caching, acceleration and load reduction benefits for Name Server Protection customers. Every DNS query that is served by Incapsula is also cached according to the set Time to Live (TTL) . Any subsequent query within the TTL range will be resolved directly by Incapsula without being forwarded to the origin server.

This improved DNS resolution performance reduces the load on the servers and mitigates simple DDoS attacks by taking the load off the origin server.

Read More