What is DNS amplification?

DNS Amplification (also known as DNS reflection attack) is a powerful type of distributed denial-of-service (DDoS) attack that exploits the way DNS servers respond to queries.

How the attack works

An attacker sends a small DNS query to a vulnerable DNS server (called an open resolver), while spoofing the source IP address to match the victim’s IP.
The DNS server then responds with a much larger reply — often 50 to 100 times bigger than the original request.

As a result, the victim’s server or network is flooded with this amplified traffic, quickly overwhelming the bandwidth and making the service unavailable.

The attack is especially effective against misconfigured DNS servers that allow recursive queries from any source on the internet.

How to protect yourself from DNS amplification

1. Use our DNS servers (recommended)
   We strongly recommend delegating your domains to Fornex NS servers.
   They are located in multiple geographic locations, protected against amplification attacks, and designed to handle high loads.

2. If you run your own DNS server:

   • Keep your DNS software up to date.
   • Disable recursion for external clients (allow it only for trusted networks).
   • Enable Response Rate Limiting (RRL).
   • Restrict outgoing responses to only necessary record types.

Why it matters

DNS Amplification remains one of the simplest and most effective DDoS attack vectors. A single poorly configured DNS server can be turned into a powerful weapon against other targets.

By using our nameservers, your infrastructure is already protected against this type of attack at the provider level.