DNS Security & Hardening — BIND, DNSdist & Volumetric DDoS Resilience

Protect DNS infrastructure from floods and amplification with WanGuard detection and BGP FlowSpec filtering.

ITORO hardens and defends authoritative and recursive DNS with a layered approach: NIST-hardened BIND resolvers, a DNSdist security front-end, and WanGuard volumetric mitigation. DNS DDoS attacks span two very different layers — volumetric and application — and each needs the right tool. We are explicit about what filters where, instead of promising a single box that stops everything.

Three layers of DNS DDoS resilience

  • Volumetric (L3/L4) — amplification and reflection floods on UDP/53 are dropped by WanGuard with BGP FlowSpec and RTBH, before they saturate your uplinks.
  • Application-layer (L7) — NXDOMAIN, random-subdomain (water-torture) and query floods look like valid DNS, so BGP FlowSpec cannot match them. These are stopped in DNSdist with per-client response rate limiting and dynamic blocking.
  • Resolver hardening — the DNS server itself is locked down to NIST SP 800-81r3 so it stays fast and correct under load.

BIND hardening (NIST SP 800-81r3)

We deploy or review your BIND9 resolvers against current best practice:

  • DNSSEC validation to reject spoofed and tampered answers.
  • Scoped ACLsallow-recursion and trusted-network lists limited to your own prefixes, closing open-resolver abuse.
  • EDNS buffer 1232 (DNS Flag Day 2020) to remove the IP-fragmentation attack surface.
  • QNAME minimisation and DNS cookies against off-path spoofing and privacy leakage.
  • Version hiding and least-privilege service configuration.
  • Structured logging with 90-day to 12-month retention for DFIR and NIS2 evidence.
  • Hidden-primary / upstream-only architecture so the recursion tier is never directly exposed.

DNSdist security front-end

In front of BIND we run DNSdist as the customer-facing policy layer — the tier that actually stops application-layer DNS floods:

  • Per-client and per-network rate limiting to absorb NXDOMAIN and water-torture query floods.
  • Dynamic blocking that reacts to abusive sources in real time.
  • DNS firewall — protective blocking of known-malicious C2 and malware domains from live threat feeds (URLhaus, ThreatFox, CERT.pl and more), hot-reloaded every few minutes.
  • Response caching and backend load-balancing across your BIND resolvers for resilience under attack.
  • Encrypted DNS — DoT (853), DoH (443) and DoQ, terminated on DNSdist with automated Let’s Encrypt certificates.

NIS2 alignment

DNS is named critical infrastructure under NIS2. Our hardening maps to Article 21(2) technical measures: access control, logging and retention, protective DNS, encryption and monitoring. We can supply a country-specific compliance checklist and wire alerting into your incident-reporting flow to the national CSIRT (for example CSIRT NASK in Poland). See our support and NIS2 options.

Honest scope — what each layer can and cannot do

  • BGP FlowSpec only expresses L3/L4 match criteria — it cannot inspect DNS query names, so it does not stop L7 DNS floods. That is DNSdist’s job.
  • Response rate limiting protects your resolver, but the flood still arrives on the wire — terabit-scale volumetric events are escalated upstream to a scrubbing center.
  • We deploy the layer that fits your traffic and budget; we do not sell a single appliance as a cure-all.

Frequently asked questions

Can WanGuard alone protect DNS from DDoS?

No. WanGuard and BGP FlowSpec handle the volumetric part — amplification and reflection floods on UDP/53. Application-layer DNS floods (NXDOMAIN, water-torture) need DNSdist response rate limiting at Layer 7. We deploy both so the layers cover each other.

What is a DNS water-torture (random-subdomain) attack?

A flood of queries for random, non-existent sub-domains of a real zone. Each looks like a valid request, so packet-level filters pass them; together they exhaust the resolver’s cache and CPU. DNSdist rate limiting and dynamic blocking mitigate them.

Do you support DNSSEC and encrypted DNS?

Yes — DNSSEC validation on BIND, and DoT, DoH and DoQ on DNSdist with automated certificate renewal.

Is this NIS2-compliant?

It aligns with NIS2 Article 21(2): access control, logging and retention, protective DNS, encryption and monitoring, plus incident reporting to your national CSIRT. We provide the checklist and the evidence trail.

Do you replace our DNS or harden what we run?

Either. We harden your existing BIND and DNSdist, or deploy a fresh hardened stack sized to your subscriber base — as a one-off project or with ongoing managed support.

Is Your Business Safe from DDoS?

DDoS attacks can strike at any time. Don't wait—be proactive in your defense.

See Plans & Pricing