Cloudflare Docs
DDoS Protection
Edit this page on GitHub
Set theme to dark (⇧+D)

Cloudflare Advanced DNS Protection


Cloudflare Advanced DNS Protection Beta, powered by flowtrackd, provides stateful protection against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as random prefix attacks.

​​ How it works

Cloudflare’s Advanced DNS Protection works by first learning your traffic patterns and forming a baseline of the type of DNS queries you normally receive. Later, the system will be able to distinguish between legitimate and malicious queries, protecting your DNS infrastructure without impacting legitimate traffic.

Currently, the protection system only analyzes DNS over UDP (it does not include DNS over TCP).

The Network Analytics dashboard will display system-specific analytics for Advanced DNS Protection in the DNS protection tab, including the queried domains and record types.

​​ Availability

Advanced DNS Protection is currently available in beta to Magic Transit customers.

Protection for simpler DNS-based DDoS attacks is also included as part of the Network-layer DDoS Attack Protection managed ruleset.

​​ Initial setup

  1. Contact your account team to enable Advanced DNS Protection and make the initial configuration. The initial thresholds are based on your network’s individual behavior.

  2. Add the prefixes you wish to onboard using the Advanced TCP Protection user interface. Advanced DNS Protection will only be applied to the prefixes you onboard.

    If you already onboarded the desired prefixes when you configured Advanced TCP Protection, you do not need to take any other action.

​​ Troubleshooting

​​ No data about Advanced DNS Protection in Network Analytics

If you cannot find any data related to Advanced DNS Protection in the DNS Protection tab of Network Analytics, it could be because one of these reasons:

  • You did not add your prefixes to Advanced TCP Protection.
  • Cloudflare did not enable the Advanced DNS Protection system yet.
  • You do not have any DNS over UDP traffic.

​​ Data collection

Cloudflare collects DNS-related data such as query type (for example, A record) and the queried domains. For details, refer to Data collection.

Advanced DNS Protection can protect you against volumetric DNS DDoS attacks. To perform DNS caching, proxying, and configuration, use the Cloudflare DNS Firewall.

Currently, Advanced DNS Protection is not available for DNS Firewall.