The defense method falls into that for the cache server and that for the authorization server, considering that the detection packets in these two detection methods are different. For detailed defense mechanisms, see the product manual.

The defense for the cache server and that for the authorization server are mutually exclusive. That is, you can select only one of them.

If you are protecting the authorization server, you are advised to enable the CNAME defense mode. If you are protecting the cache server or not sure about the type of the DNS server, you are advised to enable the passive defense mode.

Considering that certain clients do not support responding to reply packets whose TC flag is set to 1, or the DNS server itself does not support the TCP mode, using TCP authentication may affect services.

Source detection-based defense: In a scenario where the rate of DNS reply packets exceeds the configured threshold, after the AntiDDoS scrubbing device receives DNS reply packets, the device serves as a proxy of the Zone, constructs new DNS Request packets, and sends them to the source to check whether the source IP address is a real DNS server.

The AntiDDoS can limit the rate of DNS requests and that of DNS replies.

The AntiDDoS performs rate limiting on DNS requests and replies whose source IP addresses are verified as real ones in source detection.