Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

DNS amplification and open resolvers: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: DNS amplification attacks exploit open or misconfigured DNS resolvers to multiply small spoofed queries into traffic floods that can exceed the original request by 50x or more, according to DigiCert. The practical lesson is that availability depends on resolver hygiene, source-address filtering, and response controls, not just edge capacity.

NHIMG editorial — based on content published by DigiCert: What is a DNS Amplification Attack?

By the numbers:

Questions worth separating out

Q: What breaks when DNS resolvers are open to recursion from any source?

A: Open recursion turns your DNS infrastructure into a reflection tool that can be abused by attackers to amplify traffic toward a victim.

Q: Why do DNS amplification attacks cause so much damage from such small requests?

A: They exploit the difference between a tiny spoofed query and a much larger DNS response.

Q: How can security teams tell whether DNS amplification is happening in real time?

A: Look for unusual spikes in UDP port 53 traffic, high volumes of responses that do not match legitimate query patterns, and repeated resolver replies from sources that should not be serving that workload.

Practitioner guidance

  • Disable open recursion on authoritative servers Separate authoritative and recursive roles, then confirm that authoritative servers do not answer arbitrary external recursion requests.
  • Enforce ingress and egress source filtering Apply BCP 38 style anti-spoofing controls with your ISP and internal network teams so forged source addresses cannot enter or leave your environment.
  • Set response rate limits and size controls Tune RRL and review whether DNSSEC, ANY queries, and oversized TXT records are creating avoidable amplification potential.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step DNS troubleshooting checks using dig, nslookup, and Nmap scripts for exposed resolvers.
  • Configuration examples for disabling recursion, tuning response rate limits, and validating DNSSEC impact on response size.
  • Detection guidance for UDP port 53 anomalies, edge filtering, and provider-side mitigation capabilities.
  • Practical hardening checklist for auditing authoritative and recursive DNS roles after changes.

👉 Read DigiCert's explanation of DNS amplification attacks and mitigation →

DNS amplification and open resolvers: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Open recursion is not a nuisance setting. It is a standing trust decision. DNS amplification succeeds because some resolvers still answer queries from any source, effectively volunteering to amplify third-party traffic. That is a governance failure, not just a configuration lapse, because it expands the attack surface of the whole environment. The practitioner conclusion is that resolver admission policy belongs in the same risk register as other externally reachable identity services.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when a DNS amplification attack takes a service offline?

A: Accountability usually spans network operations, DNS platform owners, and the provider or ISP that can enforce anti-spoofing and edge mitigation. The practical question is whether the organisation had clear ownership for resolver hardening, response limits, and source-address validation before the outage occurred. That ownership model should be documented before an incident tests it.

👉 Read our full editorial: DNS amplification attacks expose the limits of open resolver control



   
ReplyQuote
Share: