Configure DNS NXDOMAIN DoS vector mitigation responses

Overview

CNFs provides a DNS NXDOMAIN denial-of-service (DoS) attack vector that detects and mitigates attacks from invalid domain queries. By default, the NXDOMAIN vector drops packets that it identifies as part of an attack. You can configure the vector to send NXDOMAIN responses instead of silently dropping requests.

Sending responses instead of dropping requests is useful when external DNS proxies, such as those used in multi-cloud DNS deployments, interpret silent drops as a sign that the server is unhealthy. By replying with an NXDOMAIN response, you protect the backend server while keeping downstream proxies informed.

Before you begin

  • The NXDOMAIN DoS vector is supported only on the Global DoS context. Per-virtual DoS is not supported for this vector.

  • The NXDOMAIN DoS vector supports UDP traffic only. TCP is not supported.

  • It is recommended to understand how NXDOMAIN attack detection works before enabling mitigation responses.

How it works

The NXDOMAIN DoS vector maintains a hash bitmap of valid domain queries served from the server. When the number of NXDOMAIN replies from the server exceeds the configured attack detection rate, the vector enters an attack detected state.

During the attack detected state, incoming queries that do not match the valid domains bitmap are treated as potential attack traffic. Depending on your configuration, the system either drops these requests or replies with an NXDOMAIN response directly from the traffic management microkernel (TMM), without forwarding the request to the origin server.

Configuration options

You can control the reply behavior using two settings under the wellKnownProxies section of the F5BigDdosGlobal vector configuration:

Setting Description Default
responseRateLimit The maximum rate, in responses per second, of NXDOMAIN replies. Set to 0 to stop sending replies and use the default drop behavior. Set to a nonzero value to send replies up to the configured limit. 0 (no replies sent)
srcAddressList The name of an address list custom resource (CR) that defines known proxy source addresses. When you configure this setting, the system replies only to sources that match an address in the list. If you do not configure an address list, the system replies to all sources. If you configure an address list and a source does not match, the system drops the request. None

Address list considerations

  • The address list supports IPv4 and IPv6 addresses.

  • The address list supports only fully qualified host addresses (/32 for IPv4 and /128 for IPv6). It does not support subnet matching.

  • Changes to addresses in the address list custom resource (CR) take effect at runtime through a soft reference. You do not need to restart or redeploy the system.

Configure NXDOMAIN mitigation responses

To enable NXDOMAIN mitigation responses, update the F5BigDdosGlobal custom resource definition (CRD) to include the wellKnownProxies section.

Example: Reply to all sources with a rate limit

This configuration sends NXDOMAIN responses to all sources at a maximum rate of 1,000 responses per second.

Create a file with a name of your choosing (for example, ddos-nxdomain-reply-all.yaml) and paste the content below:

apiVersion: "k8s.f5net.com/v1"
kind: "F5BigDdosGlobal"
metadata:
  name: "cnf-dns-ddos"
  namespace: "cnf-gateway"
spec:
  vectors:
    dnsNxdomainQuery:
      state: "mitigation"
      rateLimit: 1000
      detectionThresholdEps: 1000
      detectionThresholdPercentage: 50
      wellKnownProxies:
        responseRateLimit: 1000

Where the numbered entries indicate:

  • Rate limit: The rate, in events per second, to which traffic is limited when the system detects an attack for the vector.

  • Detection threshold (EPS): The events-per-second (EPS) threshold at which the system registers an attack for the NXDOMAIN vector. Adjust this value based on your expected traffic baseline.

  • Detection threshold (percentage): The percentage of NXDOMAIN responses relative to total DNS queries at which the system registers an attack. This setting works together with the EPS threshold.

  • Response rate limit: The maximum rate, in responses per second, of NXDOMAIN replies during attack mitigation. Set this value to 0 to stop sending replies and use the default drop behavior. Set it to a nonzero value to send NXDOMAIN replies, up to the configured limit, instead of silently dropping requests.

Example: Reply only to known proxy addresses

This configuration sends NXDOMAIN responses only to sources that match the addresses defined in address-list1, at a maximum rate of 1,000 responses per second.

Create a file with a name of your choosing (for example, ddos-nxdomain-reply-proxies.yaml) and paste the content below:

apiVersion: "k8s.f5net.com/v1"
kind: "F5BigDdosGlobal"
metadata:
  name: "cnf-dns-ddos"
  namespace: "cnf-gateway"
spec:
  vectors:
    dnsNxdomainQuery:
      state: "mitigation"
      rateLimit: 1000
      detectionThresholdEps: 1000
      detectionThresholdPercentage: 50
      validDomains:
        - abc.com
        - xyz.com
      wellKnownProxies:
        responseRateLimit: 1000
        srcAddressList: "address-list1"

Where the numbered entries indicate:

  • Rate limit: The rate, in events per second, to which traffic is limited when the system detects an attack for the vector.

  • Detection threshold (EPS): The events-per-second (EPS) threshold at which the system registers an attack for the NXDOMAIN vector. Adjust this value based on your expected traffic baseline.

  • Detection threshold (percentage): The percentage of NXDOMAIN responses relative to total DNS queries at which the system registers an attack. This setting works together with the EPS threshold.

  • Valid domains: A list of known-good domain names to prepopulate in the valid domains bitmap. This prevents the system from treating these domains as attack traffic before it receives real queries for them.

  • Response rate limit: The maximum rate, in responses per second, of NXDOMAIN replies during attack mitigation. Set this value to 0 to stop sending replies and use the default drop behavior. Set it to a nonzero value to send NXDOMAIN replies, up to the configured limit, instead of silently dropping requests.

  • Source address list: The name of the F5BigCneAddressList custom resource (CR) that defines known downstream proxy source addresses. When you configure this setting, the system replies only to sources that match an address in the list. If a source does not match, the system drops the request. The address list supports IPv4 and IPv6 fully qualified host addresses (/32 and /128 only). Subnet matching is not supported. Changes to the address list take effect at runtime.

Use cases

Multi-cloud DNS deployment with external proxies

If your deployment routes DNS traffic through external intermediate DNS proxies, silent drops during attack mitigation can cause those proxies to mark the server as unhealthy. Configure responseRateLimit to a non-zero value so the system sends NXDOMAIN responses instead of silently dropping traffic. This keeps downstream proxies informed while still protecting the backend server.

Limit replies to known proxy sources

If you know the source addresses of your downstream DNS proxies, create an address list CR and reference it in srcAddressList. The system replies only to those known sources and drops requests from all other sources during attack mitigation. This approach limits the volume of responses and reduces TMM CPU usage.

Monitoring

You can monitor NXDOMAIN reply activity using the dos_dnsnxdomain_stat statistics table. The nxdomain_replies counter tracks the number of NXDOMAIN responses sent by TMM.

To view the statistics, run:

tmctl -dblade dos_dnsnxdomain_stat -w150