In October 2025, at the ACM SIGSAC Conference on Computer and Communications Security (CCS ’25), security researchers affiliated with TU Dresden and HAW Hamburg presented a detailed investigation exposing a critical vulnerability in the Domain Named System (DNS) that creates a massive blind spot in the overall internet infrastructure. The research reveals how misconfigured, or default-insecure network devices act as Transparent DNS Forwarders, which can potentially lead to devastating Distributed Denial of Service (DDoS) attacks by exploiting DNSs potential for amplification. This DNS-specific security flaw allows threat actors to weaponize the very infrastructure that translates domain names to IP addresses, turning legitimate DNS resolvers into mindless zombies participating in DDoS attacks that can generate traffic volumes of 40-80× larger than the original malicious requests.
Understanding Transparent DNS Forwarders and the Global Scale of Affected Devices
The open DNS (ODNS) infrastructure remains a prime target for DNS reflective amplification attacks, with most components unintentionally exposed and lacking proper security configurations. Transparent DNS forwarders, devices that relay DNS requests without rewriting source IP addresses, were first identified in 2013 and comprehensively analyzed back in 2021, now in 2025 comprising 30% of the ODNS infrastructure.
The research team identified approximately 530,000 active transparent DNS forwarders globally as of early 2025, representing 30% of the open DNS (ODNS) infrastructure. Of these devices, 13,072 (2.5%) were successfully identified and fingerprinted. Furthermore, security researchers identified these devices across 175 countries, with Brazil hosting 31% and India 24% of the global deployment. Through fingerprinting analysis, the team found that MikroTik routers dominate this landscape at 76%, ranging from consumer-grade devices to powerful enterprise core routers.
Amplifying Attack Power: From Shielded Resolvers to Anycast Abuse
What makes transparent forwarders particularly dangerous is their operational mechanics. These devices relay DNS queries to upstream resolvers without modifying the source IP address, essentially creating a pass-through system that bypasses normal security controls. The research gathered from the investigation demonstrated that threat actors can exploit this behavior to achieve amplification factors exceeding 14× compared to traditional attack methods. In controlled laboratory tests using common MikroTik hardware, the researchers revealed that a single transparent forwarder could generate attack traffic of 1.43 Gbps while consuming only 35.8 Mbps of the attacker’s bandwidth, a devastating 29-fold increase in attack efficiency compared to traditional recursive forwarders.
Additionally, the investigation uncovered three particularly alarming attack scenarios in which transparent forwarder IP addresses can be misused for DNS reflection and amplification attacks. First, transparent forwarders enable access to approximately 25,000-30,000 “shielded” DNS resolvers that are normally protected by firewalls (FW). These supposedly secure systems become vulnerable when transparent forwarders act as unwitting proxies, with the research identifying that 33% of these shielded resolvers lack proper rate limiting. Second, the researchers demonstrated how attackers could orchestrate multiple transparent forwarders to bypass regional rate limits on major DNS providers like Google and Cloudflare, effectively weaponizing their global anycast infrastructure. For the third and final deployment scenario, they found that 67% of transparent forwarders relay queries to Google’s DNS service, while 9% use Cloudflare, inadvertently making these robust infrastructures complicit in potential attacks.
Open DNS Attack Methods: Open DNS servers accept and respond to queries from any source on the internet, regardless of whether the requester is an authorized user. They become a security risk when threat actors exploit them for DNS amplification attacks, primarily through two methodologies:
- Amplification by packet size (Size-Based Amplification): DNS reflective amplification attacks manipulate resolvers to produce responses significantly larger than the initial queries. Using techniques like EDNS0 and querying DNSSEC-signed domains, attackers routinely achieve amplification ratios between 40× and 60×. Threat actors also frequently target legitimate government domains (.gov) due to their DNSSEC signatures naturally providing a potential for substantial amplification. The following research demonstrated that eliminating the top 20% of the most powerful amplifiers could reduce overall attack capacity by up to 80%.
- Amplification by number of responses (Response Volume Amplification): certain reflectors can generate millions of responses from a single query. These response flood results from routing loops, misconfigured middleboxes, and “Echoing Resolvers”, devices that send multiple replies per request. Although such vulnerable devices are relatively rare, the study’s analysis implicates past investigations that indicate that as few as 100 compromised devices suffice for effective real-world attacks. Most attacks utilize only 10 to 1,000 reflectors, yet the open DNS infrastructure contains approximately 1.7 million active IP addresses, presenting substantial vulnerability. Well-provisioned networks host hundreds of thousands of these resolvers, making them prime components for launching DDoS attacks.
Threat Actor Attack Criteria
IP address stability significantly influences which resolvers threat actor’s target; high-churn resolvers are less frequently exploited. Stable transparent forwarders represent particularly attractive targets, with carefully curated lists already exceeding the reflector counts used in typical attacks. While most open resolvers explicitly advertise their services through hostnames, the study shows that approximately 1% of all open resolvers appear consistently across 95% of measurement scans over extended periods, representing 20,000 to 30,000 persistently available devices for potential DDoS exploitation.
Real-World Attack Feasibility: The study shows that the barrier to exploiting transparent forwarders remains relatively low. Threat actors require only the following to succeed:
- IP Spoofing: The ability to send packets with falsified source addresses. Despite decades of best practice implementations, numerous networks still permit this behavior.
- Target List(s): Identifying transparent forwarders requires minimal effort. Comprehensive internet-wide scans complete in under 45 minutes (research mentions tools like ZMap). Researchers identified 567 fully responsive /24 subnets where nearly every address operates a transparent forwarder, allowing attackers to optimize scan efficiency.
- No Botnet Required: Unlike traditional DDoS attacks that require compromised zombie machines, transparent forwarder orchestration operates from a single control point. The distribution occurs organically through the geographically dispersed forwarder DNS infrastructure.
That said, transparent DNS forwarders represent an often-overlooked component of internet infrastructure that has evolved into a significant security liability. Their unique operational characteristics like handling queries without processing responses, providing access to shielded infrastructure, and enabling global distribution without botnets, make them exceptionally efficient tools for launching DDoS attacks.
Hardening Networks: Multi-Layered Defense Solutions
The technical solutions and mitigation methods described in this comprehensive study are apparent: implement network ingress filtering (RFC 2827), deploy reverse path forwarding checks (RFC 8704), and audit FW rules protecting DNS infrastructure. Also evident is that addressing the transparent forwarder threat requires coordinated action across multiple levels of the DNS ecosystem, combining both preventive measures at the network operator level and defensive mitigation capabilities for potential DDoS attacks.
Conclusion:
The Threat: In their investigation, security researchers identified approximately 25,000-30,000 shielded resolvers (DNS infrastructure located behind network FWs) that can be accessed via transparent forwarders acting as unwitting proxies. Roughly 33% of these shielded resolvers lack proper rate limiting because network administrators assumed FW protection eliminated the need for resolver-level restrictions. Analysis of autonomous systems hosting resolvers exclusively reachable through transparent forwarders revealed that 82 shielded resolvers are not protected by any reasonable rate limit.
The study also identified approximately 2,800 total resolvers (both open and shielded) that displayed no measurable rate limits, each capable of processing over 2,900 queries per second. Using the conservative 40× amplification factor (thresholds used in testing), threat actors exploiting just these unrestricted resolvers could generate minimum sustained attack volumes exceeding over 180 Gbps.
DigiCert’s UltraDDoS Protect’s DNS and BGP redirection capabilities combined with cloud-based traffic scrubbing directly neutralize this threat. When a threat actor sends spoofed DNS queries through transparent forwarders to shielded resolvers, the amplified responses (potentially 180+ Gbps) are redirected away from the victim’s infrastructure before reaching their network. The DNS redirection occurs at the resolution level, while BGP redirection operates at the network routing layer, creating redundant protection. The >15 Tbps mitigation capacity across 16 global Points of Presence ensures sufficient headroom to absorb these volumetric floods.
The Other Threat: The study also revealed threat actors frequently targeting DNSSEC-signed domains because they generate large responses ideal for amplification. DNSSEC and EDNS0 enable amplification factors of 40-60×, with DNSSEC key rollovers achieving factors exceeding 80×. Attackers particularly favor legitimate .gov domains because they’re DNSSEC-signed by default, providing high amplification without requiring cache poisoning or domain compromise.
DigiCert’s UltraDNS’s one-click DNSSEC protection combined with built-in DDoS mitigation transforms DNSSEC from an amplification vulnerability into a security asset. The automated DNSSEC signing ensures cryptographic integrity while the built-in DDoS protection layer monitors query patterns for amplification abuse indicators, such as repetitive queries for DNSKEY or large TXT records from unusual geographic distributions or at rates inconsistent with legitimate traffic. When UltraDNS detects potential amplification attempts (high volumes of DNSSEC queries from distributed sources characteristic of transparent forwarder orchestration), response rate limiting specifically targets the abusive pattern while maintaining service for legitimate queries.
From a threat analysis perspective, transparent forwarders represent the dangerous intersection of persistent infrastructure misconfiguration, continued IP spoofing viability, and DNS resolution concentration in massive anycast networks that ultimately become weaponized through transparent proxy access. Until coordinated action spans the entire internet ecosystem, from equipment manufacturers shipping secure-by-default configurations, to ISPs implementing ingress filtering and DNS infrastructure audits, to organizations deploying resilient authoritative and protective services, transparent forwarders will continue enabling devastating DDoS attacks that turn critical DNS infrastructure against itself.
UltraDDoS Protect is the purpose-built defense against massive volume attacks, providing ultra-fast detection and mitigation on a global scale, UltraDDoS Protect successfully protects against DDoS attacks, delivering a high-capacity network with flexible deployment options so organizations can implement sophisticated traffic scrubbing across multiple vectors.
To learn more about UltraDDoS Protect, contact us today for a demo.
