We have been noticing an increasing number of DDoS attacks against our DNS Server 2008 R2. Recursion is disabled, so we only give valid responses to zones that we are authoritative for.
My problem, is that we are receiving traffic floods on the order of 100 requests per second simultaneously from multiple sources. Since DNS responds with a non-authorative response effectively saying "that zone isn't here, go somewhere else" it still
consumes resources. To combat this, I implemented a QoS policy for outbound traffic to limit the bandwidth, so other services on our network are not affected. The QoS policy works well, but I fear that some legitimate DNS requests may get lost
as a result.
These malicious floods are querying for the same zone (isc.org) for which we are not authoritative.
Do you have any solution for this big problem? How Can I stop this attack without hardware firewall?
I think we have not much option to prevent the DDoS attack by using the windows built-in feature however, we can use hardware or software based router or firewall devices (for example , TMG/ISA)and set it in front of server in order to protect it to against
the attacks form internet.
Planning to protect against denial of service flood attacks
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.