DNS random subdomain (A) flood
Random labels under a fixed zone force cache misses while still receiving valid A answers — distinct from NXDOMAIN pattern.
How it works
- Pattern: randomNN.example.com A queries where the name exists or wildcard resolves.
- Every query misses resolver cache even when answers succeed.
- Authoritative server still does lookup work per unique label.
- Compare with NXDOMAIN pattern to test negative vs. positive cache paths.
Packet flow (illustrative)
Engarde node Target
→Query: api.example.com A
←Answer: 203.0.113.10
→Query: randomNN.example.com
←NXDOMAIN
Illustrative flow — not a live capture.
Pattern Random label A
vs NXDOMAIN Valid answers
Engarde DNS target list
What to watch in Engarde
- Authoritative QPS vs. resolver CPU.
- Wildcard zone behavior under label explosion.
- RRL triggering on authoritative side.
Running this simulation
DNS flood against zone you control with wildcard or pre-provisioned random labels; compare with cached fixed-name queries.
Mitigation perspective
Wildcard rate limits and per-client QPS on authoritative; monitor glue NS load.