Cloudflare Advanced DNS Protection
Cloudflare Advanced DNS Protection
Beta, powered by flowtrackd, provides stateful protection against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as random prefix attacks.
How it works
Cloudflare’s Advanced DNS Protection works by first learning your traffic patterns and forming a baseline of the type of DNS queries you normally receive. Later, the system will be able to distinguish between legitimate and malicious queries, protecting your DNS infrastructure without impacting legitimate traffic.
The Network Analytics dashboard will display high-level data about Advanced DNS Protection in the All Traffic tab.
Availability
Advanced DNS Protection is currently available in beta to all Magic Transit customers.
Protection for simpler DNS-based DDoS attacks is also included as part of the Network-layer DDoS Attack Protection managed ruleset.
Initial setup
Request your account team to enable Advanced DNS Protection and make the initial configuration. The initial thresholds are based on your network’s individual behavior.
Next, add the prefixes you would like to onboard. Advanced DNS Protection will only be applied to the prefixes you onboard. To add prefixes, do one of the following:
- Go to the Cloudflare dashboard and use the Advanced TCP Protection user interface.
- Use the prefix API operations provided by Advanced TCP Protection.
Configuration
After getting Advanced DNS Protection enabled, you can create rules to configure the protection system. By default, Advanced DNS Protection will be enabled in monitoring mode.
Currently, you must use the Cloudflare API to create and manage DNS protection rules. For more information, refer to Configure via API.
For more information on the configuration settings, refer to Rule settings.
Data collection
Cloudflare collects DNS-related data such as query type (for example, A record) and the queried domains. For details, refer to Data collection.
Related products
Advanced DNS Protection can protect you against volumetric DNS DDoS attacks. To perform DNS caching, proxying, and configuration, use the Cloudflare DNS Firewall.