This document discusses analyzing DNS data to detect DNS-based distributed denial-of-service (DDoS) attacks. It finds that random subdomain attacks and attacks using open home gateways and bot malware are increasingly common. These attacks strain DNS resolvers and authoritative servers by generating large volumes of recursive queries with randomized subdomains. The document recommends filtering DNS traffic at the ingress of resolvers to minimize workload and stress, while still allowing legitimate queries by using near-real-time blocklists and whitelisting valid subdomains for popular domains.