On Misusing Transparent DNS Forwarders For Amplification Attacks

The rise of transparent DNS forwarders reshapes the threat model for DNS‑based DDoS mitigation. By preserving the original source address when forwarding queries, these devices let malicious actors reach high‑capacity recursive resolvers that are otherwise firewalled. This bypass undermines traditional perimeter defenses and rate‑limiting strategies, allowing attackers to amplify traffic with minimal overhead. The phenomenon is especially pronounced in regions with dense deployments, such as Brazil and India, where legacy router configurations remain common.

From an operational perspective, the concentration of forwarders on a few public resolvers—primarily Google’s 8.8.8.8 and Cloudflare’s 1.1.1.1—creates a de‑facto amplification hub. When a transparent forwarder forwards a spoofed query, the response is sent directly to the victim, sidestepping the forwarder’s bandwidth constraints. Laboratory tests on a MikroTik RB750Gr3 router demonstrated that transparent forwarding can sustain up to 320 Mbit/s of victim‑direct traffic, far exceeding the 1.5 Mbit/s ceiling observed with recursive forwarders. This scalability makes the vector attractive for large‑scale botnet campaigns.

Mitigation requires a shift from perimeter‑only controls to endpoint‑centric hardening. Network operators should audit firewall rules to block unauthorized DNS forwarding, enforce ingress filtering or reverse‑path forwarding to eliminate source‑IP spoofing, and apply strict rate limits on recursive resolvers regardless of their perceived protection. Given that MikroTik hardware accounts for three‑quarters of identified forwarders, vendor‑specific firmware updates and configuration guides are essential. Continuous monitoring—leveraging public APIs that expose forwarder inventories—enables rapid identification and remediation, reducing the overall amplification potential of the DNS ecosystem.