Mitigating DNS DoS Attacks
This paper considers DoS attacks on DNS wherein attackers flood the name-servers of a zone to disrupt resolution of resource records belonging to the zone and consequently, any of its sub-zones. The authors propose a minor change in the caching behavior of DNS resolvers that can significantly alleviate the impact of such attacks. In their proposal, DNS resolvers do not completely evict cached records whose TTL has expired; rather, such records are stored in a separate "Stale cache". If, during the resolution of a query, a resolver does not receive any response from the name-servers that are responsible for authoritatively answering the query, it can use the information stored in the stale cache to answer the query.