Home/ Glossary/ DNS Amplification Attack

DNS Amplification Attack (DNS Amplification)

Security Glossary - DNS

Definition: A DNS amplification attack is a type of distributed denial-of-service (DDoS) attack that exploits open DNS resolvers to flood a target with traffic. The attacker sends small DNS queries with the source IP spoofed to the victim's address, and the resolver sends much larger responses to the victim. The amplification factor can be 50x or more.

The Importance of DNS Amplification

DNS amplification attacks are one of the most common DDoS vectors because DNS can amplify traffic by a factor of 50-70x. A 1 Gbps attack stream from the attacker can become a 50 Gbps flood hitting the victim. This makes it possible for a single attacker with modest bandwidth to generate overwhelming traffic volumes.

As a domain operator, your DNS infrastructure can be either a target or an unwitting participant. If your DNS servers are configured as open resolvers (accepting recursive queries from any source), they can be exploited as amplifiers. Properly configured authoritative-only nameservers do not process recursive queries and cannot be used for amplification.

Defending against DNS amplification when you are the target requires DDoS mitigation services (like Cloudflare, AWS Shield, or Akamai) that can absorb and filter the amplified traffic. As a responsible internet citizen, also verify that your nameservers are not configured as open resolvers.

How to Verify

Verify your nameservers only respond to authoritative queries for your domains and do not process recursive queries from arbitrary sources. A DNS health check can confirm your nameserver configuration. Use tools like the Open Resolver Project to check if your DNS servers are exploitable.

Check DNS Health

DNS Amplification FAQ

How does DNS amplification work?
The attacker sends DNS queries to open resolvers with the source IP spoofed to the victim's address. The resolvers send their (much larger) responses to the victim. A query might be 60 bytes while the response is 3000 bytes, creating a 50x amplification factor.
How do I prevent my DNS server from being used in amplification attacks?
Configure your DNS server as authoritative-only - do not allow recursive queries from external sources. Implement response rate limiting (RRL) on your authoritative servers. Use BCP38 (ingress filtering) on your network to prevent IP spoofing.

Related Concepts

Domain Name System Denial of Service Attack Nameserver DNS Zone Rate Limiting
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.