• The Domain Name System (DNS) infrastructure is infamous for facilitating reflective amplification attacks. • Countermeasures such as server shielding, access control, rate limiting, and protocol restrictions have been implemented to improve the situation. • Still, DNS-based reflective amplification attacks remain. • In this article, we focus on the threat vector introduced by transparent DNS forwarders. • Our research shows that transparent forwarders enable access to shielded recursive resolvers, and scale better in terms of potential attack volume. • Over the past decade, the total number of open DNS devices has decreased from over 25M in 2014 down to 1.4M in 2026.

Article Summaries:

  • Summary

A new study highlights the threat posed by transparent DNS forwarders, which forward queries without altering the source IP, enabling attackers to use shielded recursive resolvers in distributed amplification attacks. While the overall number of open DNS devices has fallen from 25 million in 2014 to 1.4 million in 2026, the count of transparent forwarders has stayed flat, sustaining a large attack surface. The researchers conducted weekly scans, identified 250 000 vulnerable devices, and removed them through responsible disclosure. Transparent forwarders are common in 175 economies, especially Brazil (31 %) and India (24 %), and 76 % rely on Google or Cloudflare recursive resolvers, amplifying their potential impact.

  • Researchers have identified transparent DNS forwarders as a new vector for reflective amplification attacks. Unlike typical recursive resolvers, these forwarders simply relay queries without altering packet headers, preserving the original source IP. This allows attackers to feed spoofed requests into powerful, often shielded recursive resolvers-many of which are operated by Google or Cloudflare-while bypassing rate limits and firewall rules. Weekly scans from 2014 to 2026 show that, although overall open DNS devices have fallen from 25 million to 1.4 million, the number of transparent forwarders has stayed flat, with 45 % spread across 173 economies, heavily concentrated in Brazil (31%) and India (24%). Responsible disclosure has removed over 250 k such devices, but the threat remains significant.

Sources: