DNS amplification and open resolvers: are your controls keeping up?

TL;DR: DNS amplification attacks exploit open or misconfigured DNS resolvers to multiply small spoofed queries into traffic floods that can exceed the original request by 50x or more, according to DigiCert. The practical lesson is that availability depends on resolver hygiene, source-address filtering, and response controls, not just edge capacity.

NHIMG editorial — based on content published by DigiCert: What is a DNS Amplification Attack?

By the numbers:

• Although data from DigiCert's UltraDDoS Protect biannual analyst report shows that DNS amplification accounted for just 4.44% of DDoS vectors observed in the first half of 2025.
• With the ability to multiply attack traffic by 50x or more, DNS amplification can cripple networks in minutes if left unchecked.
• For example, a 60-byte query that triggers a 4,000-byte response yields an amplification factor of roughly 66x.

Questions worth separating out

Q: What breaks when DNS resolvers are open to recursion from any source?

A: Open recursion turns your DNS infrastructure into a reflection tool that can be abused by attackers to amplify traffic toward a victim.

Q: Why do DNS amplification attacks cause so much damage from such small requests?

A: They exploit the difference between a tiny spoofed query and a much larger DNS response.

Q: How can security teams tell whether DNS amplification is happening in real time?

A: Look for unusual spikes in UDP port 53 traffic, high volumes of responses that do not match legitimate query patterns, and repeated resolver replies from sources that should not be serving that workload.

Practitioner guidance

• Disable open recursion on authoritative servers Separate authoritative and recursive roles, then confirm that authoritative servers do not answer arbitrary external recursion requests.
• Enforce ingress and egress source filtering Apply BCP 38 style anti-spoofing controls with your ISP and internal network teams so forged source addresses cannot enter or leave your environment.
• Set response rate limits and size controls Tune RRL and review whether DNSSEC, ANY queries, and oversized TXT records are creating avoidable amplification potential.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step DNS troubleshooting checks using dig, nslookup, and Nmap scripts for exposed resolvers.
• Configuration examples for disabling recursion, tuning response rate limits, and validating DNSSEC impact on response size.
• Detection guidance for UDP port 53 anomalies, edge filtering, and provider-side mitigation capabilities.
• Practical hardening checklist for auditing authoritative and recursive DNS roles after changes.

👉 Read DigiCert's explanation of DNS amplification attacks and mitigation →

DNS amplification and open resolvers: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →