Maynard Koch, Florian Dolzmann, Thomas C. Schmidt, Matthias Wählisch,
Forward to Hell? On the Potentials of Misusing Transparent DNS Forwarders in Reflective Amplification Attacks,
In: Proc. of ACM CCS, pp. 3915--3929, New York: ACM, 2025.
Abstract: The DNS infrastructure is infamous for facilitating reflective ampli- fication attacks. Various countermeasures such as server shielding, access control, rate limiting, and protocol restrictions have been implemented. Still, the threat remains throughout the deployment of DNS servers. In this paper, we report on and evaluate the often unnoticed threat that derives from transparent DNS forwarders, a widely deployed, incompletely functional set of DNS compo- nents. Transparent DNS forwarders transfer DNS requests without rebuilding packets with correct source addresses. As such, trans- parent forwarders feed DNS requests into (mainly powerful and anycasted) open recursive resolvers, which thereby can be misused to participate unwillingly in distributed reflective amplification attacks. We show how transparent forwarders raise severe threats to the Internet infrastructure. They easily circumvent rate limiting and achieve an additional, scalable impact via the DNS anycast infrastructure. We empirically verify this scaling behavior up to a factor of 14. Transparent forwarders can also assist in bypassing firewall rules that protect recursive resolvers, making these shielded infrastructure entities part of the global DNS attack surface.
Topics: Network Security | Network Management | Internet Measurements and Analysis
This page generated by bibTOhtml on So 15. Feb 00:05:05 CET 2026