Domain name system (DNS) works like a phone book in the Internet address resolution process. It translates user-provided domain names into corresponding IP addresses and thus helps to connect to those domains. For its important role in Internet connectivity and the emerging growth of the Internet of Things (IoT) devices, recent massive distributed denial of service (DDoS) flooding attacks target this important infrastructure. The significance behind this kind of attack is huge. A successful DDoS flooding attack in DNS makes hundreds of domain names unreachable. This paper proposes a mitigation mechanism for this DNS flooding attack in which stale content updates and a hotlist in DNS local databases are utilized in local/low-tier DNS servers. This hotlist contains domain records from different upper-level DNS servers, and these domain names are the top most queried domain names of those servers so that when the DNS is under attack, those domains in the hotlist still can be accessed. This hotlist is implemented using piggyback response messages not to cost much overhead. Furthermore, we propose a stale content update method for DNS local database, which periodically updates the stale contents to keep the database fresh. Simulation runs show good results from this hotlist content, and during an extreme outage for the DNS flooding attack, hotlist contents serve over \(80\%\) of the total responses of the database.

域名系统 (DNS) 在 Internet 地址解析过程中就像电话簿一样工作。它将用户提供的域名转换为相应的 IP 地址，从而有助于连接到这些域。由于其在互联网连接中的重要作用和物联网 (IoT) 设备的新兴增长，最近的大规模分布式拒绝服务 (DDoS) 泛洪攻击针对这一重要基础设施。这种攻击背后的意义是巨大的。DNS 中成功的 DDoS 泛洪攻击会使数百个域名无法访问。本文提出了一种针对这种 DNS 泛洪攻击的缓解机制，其中在本地/低层 DNS 服务器中使用 DNS 本地数据库中的陈旧内容更新和热列表。此热列表包含来自不同上层 DNS 服务器的域记录，并且这些域名是这些服务器中查询次数最多的域名，这样当DNS受到攻击时，热点列表中的那些域仍然可以被访问。此热列表是使用搭载响应消息实现的，不会花费太多开销。此外，我们提出了一种用于 DNS 本地数据库的陈旧内容更新方法，该方法会定期更新陈旧内容以保持数据库的最新状态。模拟运行显示此热列表内容的良好结果，并且在 DNS 泛洪攻击的极端中断期间，热列表内容服务于 它会定期更新陈旧的内容以保持数据库新鲜。模拟运行显示此热列表内容的良好结果，并且在 DNS 泛洪攻击的极端中断期间，热列表内容服务于 它会定期更新陈旧的内容以保持数据库新鲜。模拟运行显示此热列表内容的良好结果，并且在 DNS 泛洪攻击的极端中断期间，热列表内容服务于\(80\%\)数据库的总响应。