Configuring Route 53 for cost protection from `NXDOMAIN` attacks

NXDOMAIN attacks occur when attackers send a flood of requests to a hosted zone for non-existent sub-domains, often via known "good" resolvers. The purpose of these attacks may be to impact the cache of the recursive resolver and/or the availability of the authoritative resolver, or could be a form of DNS reconnaissance to try to discover hosted zone records. Using Route 53 for your authoritative resolver mitigates the risk of availability/performance impact, however the result can be a significant cost increase in monthly Route 53 costs. To protect against cost increases, take advantage of Route 53 pricing in which DNS queries are free when both of the following are true:

The domain or subdomain name (example.com or store.example.com) and the record type (A) in the query match an alias record.
The alias target is an AWS resource other than another Route 53 record.

Create a wildcard record, for example, *.example.com with a type A (Alias) pointing at an AWS resource such as an EC2 instance, Elastic Load Balancer or CloudFront distribution, so that when a query for qwerty12345.example.com is made, the IP of the resource will be returned and you will not be charged for the query.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using Route 53 for DNS availability

Application layer defense (BP1, BP2)

Configuring Route 53 for cost protection from NXDOMAIN attacks

Configuring Route 53 for cost protection from `NXDOMAIN` attacks