Hazardous Echoes: The DNS Resolvers that Should Be Put on Mute

Ramin Yazdani, Yevheniya Nosyk, Ralph Holz, Maciej Korczyński, Mattijs Jonker, Anna Sperotto

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review


Connectionless networking protocols such as DNS continue to be widely misused for Reflection & Amplification (R&A) DDoS attacks. Early efforts to address the main cause of DNS-based R&A were focused on identifying and attempting to eradicate open DNS resolvers. One characteristic of open resolvers that has not received much attention so far is that – as a result of unexpected behavior – resolvers can react to a single query with multiple DNS responses. We refer to these as Echoing Resolvers. In this paper, we quantify the problem of echoing resolvers in the wild. We identify thousands of such resolvers on the Internet and show how some reply on the order of tens of thousands of times to a single query, further escalating the potential of R&A DDoS attacks. We analyze the cause of response repetition, study behavioral differences among echoing resolvers, and categorize resolvers on the basis of the underlying causes of the observed behavior. We show how the interplay between DNS traffic and the traversed networks is responsible for echoing resolvers. In particular, we identify IP broadcasting as a cause of echoing resolvers, on top of phenomena already described in the literature (e.g., routing loops). Furthermore, we show that using sensitive labels in queries can lead to a more powerful echoing effect while using different query types does not significantly affect echoing behavior. Finally, seeing how some underlying causes of response repetition also affect or can be turned against authoritative nameservers, we quantify the potential impact of echoing resolvers on these as well.
Original languageEnglish
Title of host publication2023 7th Network Traffic Measurement and Analysis Conference (TMA)
Place of PublicationPiscataway, NJ
Number of pages10
ISBN (Electronic)978-3-903176-58-4
ISBN (Print)979-8-3503-2567-6
Publication statusPublished - 26 Jun 2023
Event7th Network Traffic Measurement and Analysis Conference, TMA 2023 - Naples, Italy
Duration: 26 Jun 202329 Jun 2023
Conference number: 7


Conference7th Network Traffic Measurement and Analysis Conference, TMA 2023
Abbreviated titleTMA 2023


  • 2023 OA procedure


Dive into the research topics of 'Hazardous Echoes: The DNS Resolvers that Should Be Put on Mute'. Together they form a unique fingerprint.

Cite this