Free Security Tool

Open DNS Resolver Checker

Check if a DNS server is configured as an open resolver. Open resolvers can be abused for devastating DNS amplification DDoS attacks with up to 54x amplification.

DNS Server IP Address

How the Attack Works

DNS Amplification Attack Explained

In a DNS amplification attack, the attacker sends small DNS queries (typically ~60 bytes) with a spoofed source IP (the victim's IP) to open DNS resolvers. The resolvers respond with much larger DNS responses (up to ~3,400 bytes) directed at the victim.

Because the response is 28-54x larger than the query, a small amount of attacker bandwidth becomes a massive flood at the victim's server. A botnet of just 1,000 machines can generate hundreds of Gbps of attack traffic.

54x

Maximum
Amplification Factor

Attack Flow

AttackerSpoofed query (60 bytes)

Open ResolverLarge response (~3,400 bytes)

Victim ServerOverwhelmed by traffic

Source IP is forged → response goes to victim

Historical Record

Largest DNS Amplification Attacks

Year	Target	Peak Size	Notes
2024	Unnamed CDN	321 Gbps	Mixed DNS + NTP amplification vector
2023	European Bank	260 Gbps	Sustained 48-hour multi-vector attack
2016	Dyn DNS	1.2 Tbps	Mirai botnet + DNS amplification disrupted major sites
2013	Spamhaus	300 Gbps	Largest attack at the time, primarily DNS amplification
2012	US Banks	60 Gbps	Operation Ababil, itsoknoproblembro toolkit

Test Your Server

Commands to Check Your DNS Server

# Test if your server responds to external recursive queries

dig @YOUR_SERVER_IP example.com A +short

# If this returns an IP address, your server is an open resolver

# Test with nslookup

nslookup example.com YOUR_SERVER_IP

# Check for recursion-available flag

dig @YOUR_SERVER_IP example.com A +recurse

# Look for "ra" flag in response (recursion available)

# Test ANY query (used in amplification)

dig @YOUR_SERVER_IP isc.org ANY

# If this returns a large response, amplification is possible

Fix It

How to Secure Your DNS Resolver

Disable recursion for external queries

In BIND (named.conf), set allow-recursion { localhost; your-network/24; }; to only allow recursion from your own networks. This is the single most important fix.

Implement Response Rate Limiting (RRL)

In BIND 9.9+, add rate-limit { responses-per-second 5; }; to the options block. This limits the number of identical responses sent per second, dramatically reducing amplification effectiveness.

Block ANY queries

ANY queries produce the largest responses. Consider blocking them: in BIND, use minimal-any yes; (BIND 9.11+) to return minimal responses to ANY queries.

Implement BCP38 (Source Address Validation)

Work with your upstream provider to implement ingress filtering that blocks packets with spoofed source addresses. This prevents your network from being used to launch amplification attacks.

Use firewall rules as a safety net

Block incoming DNS queries (port 53 UDP/TCP) from the internet if you don't need to serve external DNS. Use iptables or your cloud provider's security groups.

# Allow DNS only from trusted networks

iptables -A INPUT -p udp --dport 53 -s YOUR_NETWORK/24 -j ACCEPT

iptables -A INPUT -p udp --dport 53 -j DROP

Export your results