DNS Water Torture
A DDoS technique (also called pseudo-random subdomain attack) that floods authoritative nameservers with queries for random non-existent subdomains, bypassing resolver caches.
DNS water torture, also known as a Pseudo-Random Subdomain (PRSD) attack, exhausts an authoritative nameserver by flooding it with queries for random labels under the target zone (`a8f3.example.com`, `kk21.example.com`, ...). Because every label is unique, caches never help; every query reaches the authoritative server, which must compute NXDOMAIN responses for all of them. Recursive resolvers in front of the victim also get hammered with thousands of pending queries. Mitigations include Response Rate Limiting, NXDOMAIN response caching, dropping queries with high-entropy random labels, and putting authoritatives behind anycast with enough capacity to soak the load.
Reference
Related terms
See also
Referenced on
- Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
- DNS Amplification Attack Explained: How Open Resolvers Enable Massive DDoS
- DNS Water Torture Attack: How Random Subdomain Floods Overwhelm Nameservers
- NXDOMAIN Attack: How Nonexistent Domain Floods Exhaust DNS Resolvers
- Phantom Domain Attack: How Unresponsive Domains Exhaust DNS Resolvers
- What Is NXDOMAIN? Understanding the 'Domain Does Not Exist' DNS Response