← DNS SecurityThreat / High

DNS Amplification (DDoS)

A reflection/amplification attack that weaponizes open DNS resolvers — turning small spoofed queries into massive floods of traffic aimed at victims.

The Attack

Reflection + Amplification

DNS amplification is a two-part attack. Reflection means the attacker uses a third party (the resolver) to send traffic to the victim — keeping the attacker's identity hidden and distributing attack load. Amplification means the response is much larger than the query, multiplying the attacker's bandwidth many times over.

The attacker sends a small DNS query (typically 40–60 bytes) with a spoofed source IP (the victim's address) to an open DNS resolver. The resolver sends the full response — which can be 3,000+ bytes for an ANY query — to the victim. With thousands of open resolvers and a botnet of spoofing sources, attackers can generate hundreds of Gbps of traffic.

DNS amplification peaked as the dominant DDoS vector in 2013–2016, generating attacks exceeding 400 Gbps. The 2013 Spamhaus attack (300 Gbps) briefly disrupted large portions of the internet and made global headlines.

100×
Amplification factor (ANY)
28M+
Open resolvers (2013 peak)
Why UDP Makes This PossibleDNS uses UDP by default — a connectionless protocol with no handshake. This makes IP source spoofing trivial. TCP (used for large DNS responses) requires a three-way handshake, making spoofing impractical. QUIC-based DoQ will eventually eliminate this attack vector entirely.
Attack Flow

How a DNS Amplification Attack Unfolds

1

Attacker identifies open resolvers

The attacker scans the internet for DNS resolvers that answer queries from any source IP (open resolvers). Tools like Masscan or Shodan can enumerate millions in hours.

2

Craft high-amplification query

The attacker crafts a query type with a high amplification ratio. DNS ANY queries or queries for DNSSEC-signed zones (which include large RRSIG records) can produce responses 50–100× the query size.

3

Spoof victim's IP as source

Each query is sent with the victim's IP as the source address. UDP has no connection state — resolvers accept and respond to any source IP without verification.

4

Resolvers flood the victim

Thousands of open resolvers each send their amplified response to the victim. 10,000 resolvers × 3 KB response = 30 MB per query wave. At 1,000 queries/second per resolver: massive traffic flood.

5

Victim's bandwidth/infrastructure overwhelmed

The victim's upstream link saturates. Web servers become unreachable. Even scrubbing services and anycast providers can be overwhelmed at sufficient scale.

Attack Surface

Amplification Factors by Query Type

Not all queries amplify equally — attackers choose query types that maximize damage

Query TypeQuery SizeResponse SizeAmplificationNotes
ANY~60B~3,000B~50×Returns all records; RFC 8482 now restricts ANY responses
DNSKEY~50B~1,700B~34×Returns DNSSEC public keys; large for RSA-signed zones
TXT (SPF)~55B~450B~8×SPF records with many includes produce large responses
A (DNSSEC)~55B~600B~11×A record + RRSIG + NSEC adds significant overhead
NS~45B~350B~8×Domains with many NS records and glue amplify more
Mitigations

Defending Against Amplification Attacks

Close Open Resolvers

The most important mitigation. Configure your recursive resolvers to only answer queries from authorized networks (your own IPs, customers). Use access control lists (ACLs) in BIND, Unbound, or PowerDNS. An open resolver that answers anyone is a DDoS weapon waiting to be used.

# BIND — restrict recursion recursion yes; allow-recursion { 192.0.2.0/24; 198.51.100.0/24; };
Response Rate Limiting (RRL)

RRL limits how many identical (or near-identical) responses a nameserver sends per second to a given IP. Implemented in BIND (rate-limit), Unbound, and NSD. Reduces amplification without blocking legitimate traffic. RFC 8020 provides guidance.

# BIND RRL configuration rate-limit { responses-per-second 5; window 5; };
BCP38 Source Address Validation

BCP38/RFC 2827 recommends that ISPs filter outbound packets with spoofed source IPs. If every ISP implemented this, IP spoofing would be impossible, eliminating reflection attacks entirely. The MANRS initiative tracks ISP adoption.

# Check if your ISP allows spoofing: # https://spoofer.caida.org # Tests if your network blocks # spoofed packet transmission
Anycast + DDoS Scrubbing

Authoritative nameservers using anycast distribute attack traffic across hundreds of nodes globally — no single node is overwhelmed. Pair with upstream DDoS scrubbing services (Cloudflare Magic Transit, Akamai Prolexic) that absorb and filter attack traffic before it reaches your infrastructure.

# Verify anycast routing for your NS dig thedns.guru NS +short traceroute ns1.cloudflare.com # Each geographic location routes # to the nearest anycast node
Check if your resolver is opendig +short test.openresolver.com TXT @YOUR-RESOLVER-IPIf it returns "open-resolver-detected", your resolver answers queries from any source and should be restricted immediately.

Related Topics

DNS Tunneling

Attackers abusing DNS for amplification often use the same open resolvers exploited for tunneling.

NXDOMAIN Attacks

NXDOMAIN floods share the same amplification-via-open-resolver attack surface.

Recursive Resolver

Open recursive resolvers are the primary attack vector — Response Rate Limiting is configured there.