Back to Blog

How DNS Amplification Works

DNS amplification is a reflection-based DDoS attack that exploits open DNS resolvers to flood a target with traffic. The attacker sends small DNS queries with a spoofed source IP (set to the victim's address) to open resolvers. These resolvers respond with much larger DNS replies directed at the victim. The amplification factor typically ranges from 28x to 54x, meaning a 1 Mbps query stream can generate up to 54 Mbps of attack traffic.

The attack relies on two fundamental properties of DNS: it runs over UDP (which allows source IP spoofing since there is no handshake), and certain DNS query types produce responses much larger than the request. The most commonly abused query types are ANY, TXT, and DNSSEC-signed responses.

The Query Amplification Chain

Here is the sequence of events in a DNS amplification attack:

  1. Reconnaissance: The attacker identifies open DNS resolvers that accept recursive queries from any source. Tools like masscan can find thousands of open resolvers in minutes by scanning UDP port 53.
  2. Payload selection: The attacker identifies DNS domains with large response records. A single ANY query for a domain with multiple record types can return several kilobytes. DNSSEC-signed zones amplify this further because the signatures add substantial data.
  3. Spoofed queries: Using raw sockets, the attacker sends UDP packets to each resolver with the source IP set to the victim's address. Each query is approximately 60-70 bytes.
  4. Amplified responses: The resolvers process the queries and send responses (often 2,000-4,000 bytes) to the spoofed source IP, which is the victim.
Attacker (60-byte query) --> Open Resolver --> Victim (3,500-byte response)
                              spoofed src IP = victim
                              amplification = ~54x

Packet-Level Signatures

DNS amplification traffic has several distinctive characteristics that make it identifiable at the packet level. Understanding these signatures is essential for building effective detection rules and for classifying attacks after they happen.

Source Port 53

All amplified DNS responses arrive from UDP source port 53. For most infrastructure that does not actively resolve external DNS, a sudden flood of inbound UDP packets from port 53 is anomalous. The tcpdump filter is straightforward:

$ tcpdump -nn 'udp src port 53 and not src host YOUR_DNS_SERVER'
15:42:18.331 IP 8.8.4.4.53 > 198.51.100.10.39211: 65412*- 18/0/1 (3847)
15:42:18.331 IP 208.67.222.222.53 > 198.51.100.10.39211: 65412*- 18/0/1 (3847)
15:42:18.332 IP 1.1.1.1.53 > 198.51.100.10.39211: 65412*- 18/0/1 (3847)

Response Flags Without Queries

The DNS header contains a QR (Query/Response) flag. In amplification traffic, all packets have the QR bit set to 1 (response), but your server never sent the corresponding queries. If you monitor DNS transaction IDs, you will see responses with IDs that do not match any outbound query. This is a definitive indicator of reflected traffic.

Large Response Sizes

Legitimate DNS responses for A or AAAA records are typically under 512 bytes. Amplification responses commonly exceed 2,000 bytes and frequently hit the EDNS0 maximum of 4,096 bytes. A sustained flow of DNS responses averaging over 2 KB each is almost certainly amplification traffic.

Flowtriq's classification engine specifically tracks the ratio of DNS response bytes to DNS query bytes. In normal traffic, this ratio is under 10:1. During amplification, it exceeds 40:1, which triggers an automatic classification within seconds.

Detection Strategies

Effective detection of DNS amplification requires monitoring at multiple layers. Relying solely on bandwidth thresholds means you will only catch attacks that exceed your link capacity, by which point the damage is already done.

Protocol Distribution Monitoring

Under normal conditions, most servers have a predictable UDP-to-TCP traffic ratio. DNS amplification causes a sudden spike in inbound UDP traffic. Flowtriq tracks protocol distribution every second using dynamic baselines, so a shift from 5% UDP to 80% UDP triggers an alert even if total bandwidth is within normal range.

Source Port Entropy Analysis

Legitimate inbound traffic comes from a diverse range of source ports. DNS amplification traffic overwhelmingly originates from port 53. A drop in source port entropy (the randomness of source port distribution) is a strong signal of reflection-based attacks. This technique works for DNS, NTP, memcached, and SSDP amplification alike.

Response-to-Query Ratio

If your infrastructure makes outbound DNS queries (as most do), you can monitor the ratio of inbound DNS responses to outbound DNS queries. During normal operation, this ratio should be close to 1:1. During a DNS amplification attack, you will receive hundreds or thousands of responses for every query you actually sent.

Detection benchmark: Flowtriq detects DNS amplification within 1.2 seconds of the first attack packet arriving, using a combination of PPS baseline deviation, protocol distribution shift, and source port analysis. The attack type classification (DNS Amplification) is included in the alert notification.

Mitigation Techniques

Host-Level Firewall Rules

If your server does not need to receive DNS responses from the internet (for example, it uses a local resolver), you can drop all inbound UDP from source port 53:

# Drop all inbound DNS responses
iptables -A INPUT -p udp --sport 53 -j DROP

# Or rate-limit if you need some DNS responses
iptables -A INPUT -p udp --sport 53 -m limit --limit 50/sec --limit-burst 100 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j DROP

For servers that do need external DNS resolution, use rate limiting rather than a blanket drop. Combine this with conntrack state matching to allow only responses to queries you initiated:

# Allow DNS responses only for connections we initiated
iptables -A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j DROP

Upstream BGP Blackhole

For large-scale attacks that threaten to saturate your transit links, request a BGP blackhole from your upstream provider. This diverts attack traffic at the network edge before it reaches your infrastructure. Flowtriq can provide the PCAP evidence your provider needs to expedite the blackhole request.

Response Rate Limiting (RRL)

If you operate DNS servers, enable Response Rate Limiting to prevent your servers from being used as reflectors. BIND supports RRL natively since version 9.9.4. This limits the rate at which identical responses are sent to the same destination, neutering the amplification effect.

BCP38 / Network Ingress Filtering

The root cause of all reflection attacks is source IP spoofing. BCP38 (RFC 2827) describes network ingress filtering that prevents packets with spoofed source addresses from leaving a network. While individual organizations cannot enforce BCP38 on the entire internet, implementing it on your own network prevents your infrastructure from being used to launch amplification attacks.

DNS Amplification in the Wild: 2024-2025 Trends

DNS amplification remains in the top three DDoS attack vectors despite being well-understood. According to industry reports, DNS amplification accounted for approximately 18% of all volumetric DDoS attacks in 2024, second only to NTP amplification. The persistence of this vector is driven by several factors:

  • Millions of open resolvers: Despite years of awareness campaigns, there are still an estimated 2.5 million open DNS resolvers on the internet.
  • Low attacker cost: Amplification attacks require minimal bandwidth from the attacker. A single server with 100 Mbps uplink can generate several Gbps of attack traffic.
  • DNSSEC adoption increases amplification: As more domains deploy DNSSEC, the average response size increases due to cryptographic signatures, which inadvertently increases amplification factors.
  • Combined with other vectors: Modern attacks frequently combine DNS amplification with other attack types to complicate mitigation.

Setting Up Flowtriq for DNS Amplification Detection

Flowtriq detects DNS amplification out of the box with no additional configuration required. The agent's attack classification engine automatically identifies DNS amplification based on protocol analysis and source port patterns.

For optimal detection, ensure your Flowtriq agent is monitoring the network interface that receives inbound internet traffic. If you use multiple interfaces, deploy an agent per interface or configure interface bonding monitoring. Set up your preferred notification channels (Slack, Discord, PagerDuty, etc.) so alerts reach the right team immediately.

Flowtriq starts at $9.99/mo per node with DNS amplification detection included. Start your free 7-day trial to see detection in action.

Back to Blog

Related Articles

Attack Analysis

Detecting memcached amplification before it hits 1 Tbps

Memcached amplification with 50,000x factors and how to detect it at the packet level.
Mitigations

UDP flood mitigation strategies that actually work

Practical techniques for mitigating UDP floods without blocking legitimate traffic.
Fundamentals

DDoS attack types explained: a complete taxonomy

Every major DDoS attack type categorized with detection signatures and mitigation approaches.