A single attacker with a modest internet connection can generate a flood of traffic large enough to knock major services offline. They don't do it by having a massive connection of their own. They do it by tricking DNS servers across the internet into doing the work for them, turning a small request into a massive response aimed at their victim.
This is DNS amplification, one of the most powerful and widely used techniques in distributed denial-of-service (DDoS) attacks. It has been behind some of the largest DDoS attacks ever recorded, generating traffic measured in hundreds of gigabits and even terabits per second.
This guide explains how DNS amplification works, why DNS is the ideal protocol for it, what makes a server vulnerable, and how organizations can avoid both being a victim and being an unwitting participant.
What Is a DDoS Amplification Attack?
A denial-of-service attack aims to overwhelm a target with more traffic than it can handle, making it unavailable to legitimate users. A distributed denial-of-service (DDoS) attack does this from many sources at once.
Amplification is a technique that multiplies the attacker's firepower. Instead of sending attack traffic directly to the victim, the attacker sends small requests to third-party servers (reflectors) in a way that causes those servers to send much larger responses to the victim. The ratio between the small request and the large response is the amplification factor.
Two properties make amplification possible:
- Reflection: The attacker spoofs the source IP address of their requests to be the victim's IP. The third-party servers then send their responses to the victim, not the attacker.
- Amplification: The response is much larger than the request, so the attacker's bandwidth is multiplied as it's reflected toward the victim.
Why DNS Is Ideal for Amplification
DNS has several properties that make it one of the most effective amplification vectors:
UDP-Based and Connectionless
DNS primarily uses UDP, a connectionless protocol that doesn't verify the source of a request before responding. With TCP, a connection handshake confirms the requester's identity before data flows. With UDP, the server simply receives a query and sends a response to whatever source IP is listed, even if that IP is spoofed. This makes IP spoofing trivial, which is the foundation of reflection attacks.
Small Queries, Large Responses
A DNS query is tiny, often around 60 bytes. But DNS responses can be much larger, especially when the query asks for record types that return a lot of data. A query for ANY records, or for a domain with DNSSEC signatures, large TXT records, or many records, can produce a response many times larger than the query.
The amplification factor for DNS can range from roughly 28x to 54x for typical queries, and higher in some cases. A 60-byte query producing a 3,000-byte response is a 50x amplification. This means an attacker with 1 Gbps of bandwidth could potentially generate 50 Gbps of attack traffic.
Open Resolvers Everywhere
The internet is full of misconfigured DNS resolvers that answer queries from anyone (open resolvers). There are millions of them. Attackers use these as reflectors, sending spoofed queries that get amplified and reflected at the victim. The distributed nature of open resolvers also makes the attack come from many sources, complicating mitigation.
DNSSEC Increases Response Sizes
Ironically, DNSSEC, which improves DNS security by adding cryptographic signatures, also increases response sizes because of the additional signature data. This makes DNSSEC-signed zones potentially more attractive as amplification sources. This is also a concern for the future migration to post-quantum cryptography, which we covered in our article on PQC and DNS, since post-quantum signatures are dramatically larger and would increase amplification potential.
How a DNS Amplification Attack Works
Here's the step-by-step mechanism:
- The attacker identifies open DNS resolvers or authoritative servers that will respond to queries and produce large responses.
- The attacker crafts a small DNS query designed to elicit the largest possible response, often an
ANYquery or a query for a domain with large DNSSEC or TXT records. - The attacker spoofs the source IP of the query to be the victim's IP address.
- The attacker sends these spoofed queries to thousands of open resolvers, often using a botnet to distribute the sending.
- Each resolver responds with a large answer, sending it to the victim's IP (because that's the spoofed source).
- The victim is flooded with large DNS responses from thousands of legitimate-looking resolvers, overwhelming their bandwidth and infrastructure.
From the victim's perspective, they're being hit by traffic from thousands of real DNS servers around the world, not from the actual attacker. This makes blocking difficult: the reflectors are legitimate servers, and the actual attacker's IP never appears in the attack traffic.
Real-World DNS Amplification Attacks
DNS amplification has powered some of the most significant DDoS attacks in history:
- The 2013 Spamhaus attack reached approximately 300 Gbps using DNS amplification, one of the largest attacks recorded at the time. It targeted the anti-spam organization Spamhaus and affected internet infrastructure more broadly.
- Numerous attacks since have used DNS amplification alongside other reflection vectors (NTP, memcached, SSDP) to reach increasingly large volumes. DNS remains a staple of the DDoS toolkit.
- Booter and stresser services, which sell DDoS attacks as a service, commonly include DNS amplification as one of their attack methods, making the technique accessible even to unsophisticated attackers.
Two Ways to Be Affected
Organizations need to think about DNS amplification from two angles:
Being the Victim
Your services are the target of the attack. You're flooded with reflected DNS traffic and your infrastructure becomes unavailable. Mitigation requires DDoS protection services, sufficient bandwidth, traffic scrubbing, and upstream filtering. Many organizations rely on managed DDoS protection from providers like Cloudflare, Akamai, or their cloud provider.
Being an Unwitting Reflector
Your DNS servers are used as the amplifiers in an attack against someone else. If you run an open resolver or a misconfigured authoritative server, attackers can use your infrastructure to attack others. This consumes your resources, can get your IP addresses blocklisted, and makes you an unwitting participant in an attack.
Both angles matter. The second is often overlooked, but every organization running DNS infrastructure has a responsibility to ensure they're not contributing to attacks.
How to Avoid Being a Reflector
Don't Run Open Resolvers
A recursive resolver should only answer queries from your own network, not from the entire internet. Configure your resolvers to respond only to queries from authorized clients. If you run a recursive resolver that answers anyone's queries, you're an open resolver and a potential amplification source.
Implement Response Rate Limiting (RRL)
Authoritative DNS servers can use Response Rate Limiting to cap how many identical responses they send to the same destination in a given time window. This limits the server's usefulness as an amplifier without affecting legitimate traffic, which rarely involves many identical queries in rapid succession.
Disable ANY Queries or Minimize Their Response
The ANY query type returns all records for a name, producing large responses ideal for amplification. Many DNS servers now refuse ANY queries or return minimal responses to them (as described in RFC 8482). Check whether your authoritative servers handle ANY queries safely.
Implement Source IP Verification (BCP 38)
Network operators should implement ingress filtering (BCP 38 / RFC 2827) to prevent spoofed packets from leaving their networks. If networks dropped packets with spoofed source IPs, reflection attacks would be impossible. This is a collective responsibility; widespread BCP 38 adoption would eliminate the spoofing that makes amplification work.
How to Defend as a Potential Victim
Use DDoS Protection
For most organizations, defending against large-scale amplification attacks requires a DDoS protection service that can absorb and scrub the traffic. These services have the bandwidth and infrastructure to handle attacks far larger than any single organization could withstand.
Over-Provision Bandwidth and Use Anycast
Anycast DNS distributes your authoritative servers across many locations sharing the same IP. This spreads attack traffic across the network rather than concentrating it on a single server, increasing resilience. Managed DNS providers use anycast extensively, which is one reason they handle DDoS attacks well.
Monitor for Anomalies
Detecting an attack early enables faster response. Monitoring DNS query patterns, traffic volumes, and response sizes helps identify when an attack is beginning or when your infrastructure is being used as a reflector.
Where DNS Assistant Fits
DNS amplification mitigation at the network level requires DDoS protection services and proper resolver configuration. DNS Assistant operates at a complementary layer: monitoring your authoritative DNS records and configuration to ensure your DNS posture is sound.
- Record monitoring: DNS Assistant tracks all your DNS records and alerts on changes. Unexpected changes to your records could indicate compromise or misconfiguration that affects your DNS infrastructure.
- DNSSEC monitoring: Since DNSSEC affects response sizes and amplification potential, monitoring your DNSSEC configuration helps you understand your exposure.
- Configuration visibility: Maintaining a clear picture of your DNS setup across all domains helps you ensure your authoritative servers are configured correctly and not contributing to attacks.
- Multi-channel alerting: Get notified of DNS changes via email, Slack, Microsoft Teams, webhooks, or SMS.
Strong DNS hygiene, knowing what's in your DNS, catching unexpected changes, and maintaining correct configuration, is part of a healthy overall DNS security posture that complements network-level DDoS defenses.
Check Your DNS Configuration
Use the DNS lookup tool at dnsassistant.com/tools to inspect your DNS records, or run a Free Domain Risk Report for a comprehensive view of your DNS configuration, including DNSSEC status.
For continuous monitoring of your DNS records and configuration with real-time alerting, sign up at dnsassistant.com.
This article explains DNS amplification for educational and defensive purposes. Understanding how these attacks work is essential for defending against them and for ensuring your own infrastructure isn't used to attack others.
Start Monitoring Your DNS Today
Get real-time alerts, track record changes, and keep your domains secure with DNS Assistant.
Sign Up Free