Advanced DNS Protection
Cloudflare’s Advanced DNS Protection, powered by flowtrackd
↗, provides stateful protection against DNS-based DDoS attacks, specifically sophisticated and fully randomized DNS attacks such as random prefix attacks.
Cloudflare’s Advanced DNS Protection works by first learning your traffic patterns and forming a baseline of the type of DNS queries you normally receive. Later, the system will be able to distinguish between legitimate and malicious queries, protecting your DNS infrastructure without impacting legitimate traffic.
Currently, the protection system only analyzes DNS over UDP (it does not include DNS over TCP).
The Network Analytics dashboard will display system-specific analytics for Advanced DNS Protection in the DNS protection tab, including the queried domains and record types.
Create a rule to enable Advanced DNS Protection.
If you cannot find any data related to Advanced DNS Protection in the DNS Protection tab of Network Analytics, it could be because one of these reasons:
- You did not add your prefixes to Advanced L3/4 DDoS Protection.
- Cloudflare did not enable the Advanced DNS Protection system yet.
- You do not have any DNS over UDP traffic.
Cloudflare collects DNS-related data such as query type (for example, A
record) and the queried domains. For details, refer to Data collection.
Advanced DNS Protection is currently available to Magic Transit customers.
Protection for simpler DNS-based DDoS attacks is also included as part of the Network-layer DDoS Attack Protection managed ruleset.
Advanced DNS Protection can protect you against volumetric DNS DDoS attacks. To perform DNS caching, proxying, and configuration, use the Cloudflare DNS Firewall.
Currently, Advanced DNS Protection is not available for DNS Firewall.