Transparent DNS Forwarders: On the misuse potential in DNS amplification attacks

The open DNS infrastructure is infamous for facilitating reflective amplification (RA) attacks. Various countermeasures, including server shielding, access control, rate limiting, and protocol restrictions, have been implemented. Still, the threat remains throughout the deployment of DNS servers. In this presentation, we report on the widely unnoticed threat that derives from transparent DNS forwarders, present our public measurement platform to monitor the current state, and discuss mitigation options. We raise awareness for the following reasons:
(i) Transparent forwarders relay DNS requests as is, i.e., without rewriting the source IP address. As such, transparent forwarders feed arbitrary DNS requests that appear to be spoofed traffic into recursive resolvers, which, in the case of misuse, participate unwillingly in distributed RA attacks.
(ii) Transparent forwarders scale much better in an RA attack compared to recursive forwarders and resolvers, as they only need to handle the DNS request but not the (amplified) response.
(iii) Transparent forwarders redirect the resource-intense recursive workload of the DNS resolution to recursive resolvers that belong to a powerful infrastructure (e.g., Google and Cloudflare).
(iv) Fingerprinting transparent forwarders reveals a broad picture of widely used vendors, ranging from CPE devices to IP cameras and powerful MikroTik Cloud-Core routers, which shows the prevalence of these devices on the Internet.
The goal of this presentation is to raise awareness of the threat potential posed by transparent DNS forwarders and provide mitigation options.
We publish our measurement results at https://odns.secnow.net and provide API access at https://odns-data.netd.cs.tu-dresden.de.