DNS AAAA (IPv6) query flood
High QPS of AAAA lookups stresses dual-stack resolvers, larger responses, and IPv6-ready authoritative paths.
How it works
- Engarde DNS flood targets configured names; include IPv6-only or dual-stack names in target list.
- AAAA answers are typically larger than A; bandwidth per query increases.
- Resolver may walk additional authoritative chains for IPv6 glue records.
Packet flow (illustrative)
Engarde node Target
βQuery: api.example.com A
βAnswer: 203.0.113.10
βQuery: randomNN.example.com
βNXDOMAIN
Illustrative flow β not a live capture.
QTYPE AAAA (28)
Engarde DNS Query Flood
Impact Resolver + bandwidth
What to watch in Engarde
- Response size growth vs. A-only baseline.
- Timeout on resolvers without IPv6 upstream.
- CDN dual-stack cache miss behavior.
Running this simulation
Configure DNS attack with names that resolve AAAA; compare QPS limits with A-record-only list.
Mitigation perspective
QPS caps per QTYPE; ensure IPv6 path capacity matches AAAA demand from simulation.