DNS NXDOMAIN-heavy query flood
Queries for non-existent names bypass resolver cache and force full lookup work — distinct from caching A-record floods.
How it works
- Each random subdomain query misses cache.
- Recursive resolver walks upstream or authoritative chain.
- CPU rises even when response bytes stay small.
Packet flow (illustrative)
Engarde node Target
→Query: api.example.com A
←Answer: 203.0.113.10
→Query: randomNN.example.com
←NXDOMAIN
Illustrative flow — not a live capture.
Pattern Cache miss QPS
Engarde DNS query mode
Impact Resolver CPU
What to watch in Engarde
- Resolver CPU vs. authoritative load.
- QPS limits triggering on upstream provider.
Running this simulation
Configure DNS attack against authorized resolver; compare with cached-name query baseline.
Mitigation perspective
QPS per client, NXDOMAIN rate limits (RRL), and negative caching TTL tuning.