• The Domain Name System (DNS) infrastructure is infamous for facilitating reflective amplification attacks. • Countermeasures such as server shielding, access control, rate limiting, and protocol restrictions have been implemented to improve the situation. • Still, DNS-based reflective amplification attacks remain. • In this article, we focus on the threat vector introduced by transparent DNS forwarders. • Our research shows that transparent forwarders enable access to shielded recursive resolvers and scale better in terms of potential attack volume. • Over the past decade, the total number of open DNS devices has decreased from over 25M in 2014 down to 1.4M in 2026.

Article Summaries:

  • A recent study highlights the threat posed by transparent DNS forwarders, which can be exploited to amplify distributed denial‑of‑service attacks. While overall open DNS devices have fallen from 25 million in 2014 to 1.4 million in 2026, the number of transparent forwarders has stayed steady, allowing attackers to route spoofed queries to powerful recursive resolvers such as Google and Cloudflare. These forwarders forward requests without altering the source IP, bypassing rate limits and firewall rules, and enabling attackers to scale attacks via anycast infrastructure. The researchers’ responsible disclosure removed over 250 000 vulnerable devices, but the global deployment remains widespread-especially in Brazil and India.
  • Researchers have identified a new threat vector in DNS infrastructure: transparent forwarders that can be abused for reflective amplification attacks. Unlike traditional recursive resolvers, these forwarders simply relay queries without altering packet headers, preserving the original source IP. This allows attackers to funnel traffic through powerful, often anycasted recursive resolvers-such as those operated by Google or Cloudflare-while bypassing rate limits and firewall rules. Weekly scans from 2014 to 2026 show a decline in open DNS devices overall, yet the number of transparent forwarders has remained steady, with over 250,000 devices removed through responsible disclosure. The study highlights that transparent forwarders are widely deployed-especially in Brazil and India-making them a persistent and scalable attack surface.

Sources: