Forward to Hell? On Misusing Transparent DNS Forwarders For Amplification Attacks | RIPE Labs

Maynard Koch

Forward to Hell? On Misusing Transparent DNS Forwarders For Amplification Attacks

Maynard Koch

Maynard Koch

Based in Dresden, Germany

I am a PhD student and research associate at the Chair of Distributed and Networked Systems at TU Dresden, supervised by Prof. Dr. Matthias Wählisch. Before joining TU Dresden, I graduated with a BSc and MSc in Computer Science from Freie Universität Berlin. My research focuses on Internet measurements to … More

Contributors:

Florian Dolzmann,

Thomas C. Schmidt,

Matthias Wählisch

10 min read — 12 Feb 2026

dns

research

competition

measurements

internet attacks

internet infrastructure

173

Click to like, and right click to unlike this article.

Share

Share

X/Twitter<br>LinkedIn<br>Facebook<br>Mastodon<br>Vkontacte<br>Telegram<br>Whatsapp<br>Email<br>Copy link

More

DNS infrastructure is infamous for facilitating reflective amplification attacks. Countermeasures such as server shielding, access control, rate limiting and protocol restrictions have improved the situation, but DNS-based reflective amplification attacks persist. Focusing on the threat vector introduced by transparent DNS forwarders, our research shows they can provide access to shielded recursive resolvers and scale better in terms of potential attack volume.

Jump to our research paper: Forward to Hell? On the Potentials of Misusing Transparent DNS Forwarders in Reflective Amplification Attacks<br>Over the past decade, the total number of open DNS devices has decreased from over 25M in 2014 down to 1.4M in 2026. These devices are often targets of attackers who misuse them as reflectors for DNS requests with spoofed source IP addresses. Over the past five years, we conducted weekly Internet-wide scans to monitor the open DNS infrastructure. Our analysis shows that the number of recursive DNS resolvers and forwarders (aggregated under ‘Other ODNS components’) constantly decreases while the number of transparent forwarders remains on the same level, although our responsible disclosure removed more than 250k devices from the threat landscape.

Figure 1 - Number of transparent forwarders and other open DNS components per week from 2021 to 2026

Transparent DNS forwarders<br>An often unnoticed threat derives specifically from so-called transparent DNS forwarders - a widely deployed, incompletely functional set of DNS components.<br>Transparent DNS forwarders transfer DNS requests without rebuilding packets. Therefore, for example, the source IP address included in the query forwarded to other DNS components (for example, recursive resolvers) remains the IP address of the original resolver.<br>Transparent forwarders raise severe threats to the Internet infrastructure:<br>They feed DNS requests into (mainly powerful and anycasted) open recursive resolvers, which thereby can be misused to participate unwillingly in distributed reflective amplification attacks.<br>They easily circumvent rate limiting and achieve an additional, scalable impact via the DNS anycast infrastructure.<br>Transparent forwarders can also assist in bypassing firewall rules that protect recursive resolvers, making these shielded infrastructure entities part of the global DNS attack surface.<br>In contrast to recursive forwarders, transparent forwarders do not need to handle the (potentially amplified) response, enhancing the effectiveness of an attack.

Figure 2 - Transparent forwarders do not rewrite the source IP address of the DNS request. The recursive resolver sees a query coming directly from the client, in this case the spoofed victim IP address. (Icons from flaticon.com)

Distribution of transparent forwarder deployment<br>Transparent DNS forwarders are publicly accessible via the global Internet in 175 economies, with a strong bias towards Brazil (31%) and India (24%).<br>Our observations imply that attackers have access to a widely distributed infrastructure. 45% of transparent forwarders are located in 173 economies, with most of the remainder being in two economies. The concentration of the second group makes it possible to efficiently approach a smaller subset of operators to reduce the threat landscape.

Figure 3 - Overview of world-wide transparent forwarder deployment.

Public DNS resolvers used by transparent forwarders<br>Transparent forwarders redirect the resource intensive recursive workload of DNS resolution to recursive resolvers that belong to a powerful infrastructure.<br>Our measurements show that a recursive resolver belonging to either Google or Cloudflare is configured on 76% of all transparent forwarders. An attacker that simply bases its attacks on recursive resolvers in general may prefer to target less powerful resolvers (for example, customer-premises equipment, or CPE).

Table 1: Top 10 public DNS resolvers used by transparent forwarders.

Public Resolver

Transparent<br>Forwarders Using Public...