Anycast, TCP, and a Bit of Magic: The Internet's "Armor" Hackers Have Been Trying to Breach for Decades
We explain why it's practically impossible to harm the root DNS servers.The stability and resilience of the internet largely rely on systems hidden from the view of most users. One such foundational structure remains the root DNS server system — a key element responsible for converting domain names into IP addresses. Although the internet's architecture lacks centralized control, the failure of this subsystem could lead to consequences comparable to a global network outage.
Root DNS servers are regularly targeted by attacks, primarily distributed denial-of-service (DDoS) attempts. However, throughout their history, these servers have demonstrated high resilience to such loads. The secret lies in component replication, infrastructure redundancy, and the use of Anycast technology, which directs queries to the nearest routing nodes, thereby reducing the overall risk of overload.
According to data from the NETSCOUT ATLAS platform, several dozen DDoS attacks targeting various root DNS servers were recorded over the past year. The most powerful one occurred in August 2025, reaching a peak traffic volume of 21 Gbps. Interestingly, the volume of malicious traffic to different server instances can vary significantly. This may be related to historical routing, network topology specifics, or even the simple popularity of a particular address.
Although all root server instances are technically identical, the load distribution among them is uneven. The system is designed in such a way that the majority of DNS queries are short, localized, and quickly processed packets. Therefore, even with high levels of unwanted traffic, the overall load remains relatively moderate. The gradual increase in DNS-over-TCP usage has not yet led to a significant rise in attacks in this direction.
Among the factors ensuring the resilience of the root DNS infrastructure are architectural simplicity, geographic distribution of instances, diversity in management approaches, and constant monitoring by technically skilled operators. While it's difficult to fully transfer these principles to other internet segments, they can serve as a guide for building more reliable systems.
Monitoring attacks on root servers not only provides a better understanding of the threat landscape but also helps identify potential attack vectors for other critical network resources in a timely manner. Even if such incidents remain unnoticed by end-users, they serve as indicators of malicious activity and help assess the infrastructure's readiness for large-scale challenges.
