How Open DNS Resolvers are used for DNS Amplification attacks?

A DNS resolver is a recursive DNS server that helps us answer the question: what is the IP address of a particular server, for example, what is the IP address of the server If the DNS resolver you query knows the answer, because someone has already asked it recently and the answer is cached, it responds. If it doesn’t, it passes the request on to the authoritative DNS for the domain.

Typically, an ISP’s DNS resolvers are setup to only answer requests from the ISP’s clients. But misconfigured name servers on the Internet that have recursion enabled and provide recursive DNS responses known as “open resolvers” accept queries from anyone on the Internet. These are highly insecure DNS servers and are a ripe tool for DNS amplification attacks.

DNS queries are usually sent via the UDP protocol. UDP is a fire-and-forget protocol, meaning that there is no handshake to establish that where a packet says it is coming from actually is where it is coming from. This means, an attacker can spoof the header of a UDP packet to say it is coming from a particular IP ( the one which the attacker wants to attack) and send that spoofed packet to an open DNS resolver. The DNS resolver will reply back with a response to the spoofed IP address with an answer to whatever question was asked.


To amplify an attack, the attacker asks a question that will result in a very large response. For example, the attacker may request all the DNS records for a particular zone. Or they may request the DNSSEC records which, often, are extremely large. In this way, the attacker can send a relatively small UDP request and use open resolvers to send back at the target a crippling amount of traffic which severely affects the server under attack as well as the network as large.

If you are running open resolvers on your E2E server, we request you to stop this service immediately. It is an open invitation for potential DNS amplification attacks and detrimental not only to your server’s uptime but the whole network.