How do I fix DNS flood queries overload in cloudflare problem?

Dear All Experts I'm facing a big problem in DNS queries recently it happens two times daily i guess with over 700 dns queries and it used to be even more like 1300 in just single second , it seems as some sort of sophisticated DNS DDOS attack or something , any tips or ways to help and avoid such ones. problem shown in photo below.
No description
21 Replies
Chaika
Chaika14mo ago
It could be certs being renewed, they show up in Public CT logs (Certificate Transparency), and a bunch of bots rush to scan and such. Regardless, you don't pay for DNS Queries, you have Unlimited, and Cloudflare should have no issues absorbing that traffic. I would just ignore it. A bunch of traffic in a single second isn't really "sophisticated"
don_ammar
don_ammarOP14mo ago
Hi thanks for your reply how can i avoid it because sometimes it crashes my website for 3 - 5 minutes and slows down it performance , i know this because we have over 1400 company rival and over 3100 blacklisted whiners in our db so you only recommend certs renewals to fix it ?
Hello, I’m Allie!
Do you see a corresponding uptick in HTTP(S) traffic? The systems serving DNS aren’t the same as the systems proxying your website, so this high level of traffic shouldn’t have any effect on your website itself
don_ammar
don_ammarOP14mo ago
well then how you explain my domains and my website goes down sometime then on these peaks specially ? I still searching for a real solution for this dns flood ddos attack but nothing useful found on the internet yet.
Hello, I’m Allie!
A lot of requests don't necessarily correlate with downtime of a website, which is why I was wondering whether the dashs shows any HTTP(S) traffic there too. You can't really stop a DNS flood(at least on Cloudflare), but you can definitely stop an HTTP(S)-based attack.
don_ammar
don_ammarOP14mo ago
yeah https you can via WAF and make strong rules i already made ones but still only minor to no effect on dns flood like they range between 740 low attack till 1100 high attack. I guess only paid premium dns protection services is my only choice.
Chaika
Chaika14mo ago
The "DNS Flood" is at best a symptom of something else, like an http flood incoming. The actual DNS Traffic does not matter or affect you in the slightest, DNS Queries are cheap anyway, compared to http requests. If you got some special dns protection service it would be pointless, because you wouldn't be solving anything and DNS Traffic is much harder to mitigate/challenge anyway because there is less information you can get (harder to not block innocents) If you go to your website in Cloudflare, and Analytics & Logs -> Traffic, you don't see any increase in http requests around the same time?
don_ammar
don_ammarOP14mo ago
here's two photos , sure i see both but not same volume.
don_ammar
don_ammarOP14mo ago
No description
don_ammar
don_ammarOP14mo ago
No description
don_ammar
don_ammarOP14mo ago
see it's not that big peak comparing to dns like 500 http requests but for dns 800 and something maybe less http.
Chaika
Chaika14mo ago
DNS Volume isn't going to match up with http generally, there's a lot more records (A/AAAA for IPv4/IPv6, HTTPS for SNI/other http hints, DNSKEY for DNSSEC, etc) that may need to be queried for a single http request, potentially 3-4 that's also different time periods, right? Looks like dns is 6 hours and traffic there is 24 hours, which I think is all you get on free anyway
my website goes down sometime then on these peaks specially ?
When you say your "website goes down", can you clarify what you mean by this? Which Cloudflare error? If you have any monitoring on your origin web server, do you see an increase in http requests or cpu % there?
don_ammar
don_ammarOP14mo ago
goes down = it's down can't access my website nor cpanel nor anything yes also cpu peak but not that much
Chaika
Chaika14mo ago
Any more info then that? Do you get a specific Cloudflare error? Is your cpanel on a separate subdomain proxied by Cloudflare?
don_ammar
don_ammarOP14mo ago
similar to this error on my cpanel as for cloudflare it shows the normal error when can't connect to origin server.
No description
don_ammar
don_ammarOP14mo ago
as for the dns cloudflare records all are proxified. no my cpanel is on the same domain for sure.
Chaika
Chaika14mo ago
That's interesting. Do you have a monitoring service watching your website, and it only triggers in alignment with dns requests/etc, or is it more like you just happen to check and see it happens at certain times?
don_ammar
don_ammarOP14mo ago
yes sure i already run hetrixtools recently for that stuff but even didn't help too. it only notify me when it's down MeowHeartCloudflare
Chaika
Chaika14mo ago
right and it only notifies you when it's down dns queries also spike? I was thinking it might just be entirely unrelated and you have some other origin web server issue
don_ammar
don_ammarOP14mo ago
maybe it's unrelated but recently those peaks strikes two times daily and on these to near timestamps my website is slow like turtle and sometimes crashes , I wonder if cloudflare has copy of those dns requesters or something maybe then we blacklist their ip or run tracer
Chaika
Chaika14mo ago
You could only get src. ips of DNS Requests via Enterprise logpush I would try to chase down those origin errors more though, like that cpanel one seems a bit odd, some info on debugging it here: https://forums.cpanel.net/threads/internal-server-error-500-security-policy-requires-exec-termination.692201/
e it shows the normal error when can't connect to origin server.
There's lots of error codes with origin servers, the specific one would be helpful. I would try to see through logs if any requests are making it through, any application errors, and also check out other usage stats around the time of the error (network usage, memory, etc) It could be some host error, especially if you are on shared hosting. It could be requests going around Cloudflare. If you haven't properly configured your origin web server to only allow Cloudflare IPs (bare min), they could be requesting your origin directly, or just straight up DDoSing it/saturing your network link. It could be a small number of requests to expensive endpoints, if you have any. If your web server isn't very powerful, and you get a few hundred requests in a few seconds to something like adding an item to cart, it could cause your website to crawl. The free traffic view only graphs per hour, making spikes hard to see
Want results from more Discord servers?
Add your server