DNS stress test

Turns small spoofed DNS queries into oversized responses reflected off open resolvers, validating whether your edge can absorb one of the highest-volume amplification vectors on the internet.

Run DNS test → All methods

up to 54x

amplification factor

How it works

DNS runs over UDP on port 53, and open recursive resolvers answer queries with responses many times larger than the request, especially for ANY or large record types. Spoofing the source address to your test target makes those reflected responses pile up on your infrastructure, converting modest outbound effort into a heavy inbound flood. This exercise validates upstream scrubbing capacity, anti-spoofing posture, and how cleanly your network sheds reflected UDP without collateral impact on legitimate DNS traffic.

Parameters

pps600k ppsQuery rate aimed at the resolver pool

duration10-600 sLength of the sustained reflection run

reflectors500-10k hostsBreadth of the open-resolver source pool

amp_factor28x-54xResponse-to-query size ratio under test

Run it from the CLI

retro-cli

$ retro run dns --target 203.0.113.45 --duration 120

DNS FAQ

Why is DNS amplification so effective?+

A short spoofed query can pull back a response dozens of times larger, so a modest source rate becomes a much heavier flood at the reflected target. The high amplification ratio is what makes it one of the most cited volumetric vectors.

What does running this test prove?+

It shows whether your edge and upstream scrubbing can absorb reflected UDP/53 at scale, and whether legitimate DNS resolution survives while the flood is mitigated.

Does this attack the resolvers themselves?+

No. In authorized testing the reflected volume is directed at infrastructure you own. The point is to validate your own absorption and anti-spoofing controls, not to disrupt third-party resolvers.