DNS queries are usually sent via the UDP protocol. UDP is a fire-and-forget protocol, meaning that there is no handshake to establish that where a packet says it is coming from actually is where it is coming from. This means, an attacker can spoof the header of a UDP packet to say it is coming from a particular IP ( the one which the attacker wants to attack) and send that spoofed packet to an open DNS resolver. The DNS resolver will reply back with a response to the spoofed IP address with an answer to whatever question was asked.
To amplify an attack, the attacker asks a question that will result in a very large response. For example, the attacker may request all the DNS records for a particular zone. Or they may request the DNSSEC records which, often, are extremely large. In this way, the attacker can send a relatively small UDP request and use open resolvers to send back at the target a crippling amount of traffic which severely affects the server under attack as well as the network as large.
If you are running open resolvers on your E2E server, we request you to stop this service immediately. It is an open invitation for potential DNS amplification attacks and detrimental not only to your server’s uptime but the whole network.