Transparent DNS forwarders—lacking source IP validation and refraining from reconstructing query packets—are highly susceptible to abuse in DNS reflection-amplification attacks, enabling adversaries to bypass rate limiting and firewall controls and significantly expanding the attack surface. This paper presents the first systematic security assessment of such forwarders, integrating empirical measurement, traffic analysis, and anycast probing to quantitatively evaluate their real-world abuse potential. Our findings demonstrate that transparent forwarders can amplify attack traffic by up to 14× and scale attacks via DNS anycast infrastructure. Critically, they expose otherwise protected recursive resolvers as unwitting reflection relays, thereby undermining existing defensive mechanisms. The study provides critical empirical evidence for understanding emerging threats posed by novel DNS infrastructure and underscores the urgent need to enforce source address validation in both protocol design and operational deployment practices.

The DNS infrastructure is infamous for facilitating reflective amplification attacks. Various countermeasures such as server shielding, access control, rate limiting, and protocol restrictions have been implemented. Still, the threat remains throughout the deployment of DNS servers. In this paper, we report on and evaluate the often unnoticed threat that derives from transparent DNS forwarders, a widely deployed, incompletely functional set of DNS components. Transparent DNS forwarders transfer DNS requests without rebuilding packets with correct source addresses. As such, transparent forwarders feed DNS requests into (mainly powerful and anycasted) open recursive resolvers, which thereby can be misused to participate unwillingly in distributed reflective amplification attacks. We show how transparent forwarders raise severe threats to the Internet infrastructure. They easily circumvent rate limiting and achieve an additional, scalable impact via the DNS anycast infrastructure. We empirically verify this scaling behavior up to a factor of 14. Transparent forwarders can also assist in bypassing firewall rules that protect recursive resolvers, making these shielded infrastructure entities part of the global DNS attack surface.