I was wondering if I limit ACL access to my nameservers that allow recursive, the worst that could happen is someone launching a dns amplification on any of the allowed host in the ACL?
For example:
ACL allow access to 11.111.111.11 and 22.222.22.222
22.222.22.222 could in theory launch a dns amplification attack on 11.111.111.11?
Removing the attacker's IP address from the ACL won't stop an amplification attack. Since an amplification attack involves IP spoofing, the sever will never see the real IP address of the attacker. Instead the server will only see the IP address of the victim.
Removing the IP address of the victim from the ACL will however stop the amplification attack assuming the ACL mechanism is reasonably implemented.
This means you cannot protect your legitimate users this way. But if you have only a well-known set of legitimate users you can ensure that your DNS server won't be abused to perform an amplification attack against third parties. This will likely also reduce load on your DNS server since anybody wanting to perform an amplification attack would be wasting their own bandwidth by sending packets to your server.
If you have complete control over the network path between each legitimate client and your DNS server, then it is possible to filter spoofed packets before they reach the server.
If you set an ACL to allow access to 11.111.111.11 and 22.222.22.222, that means that anyone who can spoof those sources (as seen by your server) can use your server to attack 11.111.111.11 or 22.222.22.222. That person could probably use any open DNS resolver in the world to do the same thing.
Spoofing a packet, as seen by your server, means to make your server see a packet that has a source address of 11.111.111.11 or 22.222.22.222 even though that server never sent that packet. Many ISPs manage to do anti-spoofing at their network edge, discarding packets from the outside that indicate they are from the inside, and also anti-spoofing for their clients, so that their client cannot spoof IPs at all. If your ISP does this, then external IPs can only spoof (and use DNS amplification to attack) external IPs. If the DNS resolver only replies to queries from internal IPs, then there is no problem.
Best practice therefore is to only offer DNS resolving services to IPs that you control, and to apply anti-spoofing at the network level.
For more information see:
https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/
but don't hesitate to clarify your question (what is your problem, are you an ISP or a company or a home user . . .)
EDIT because my follow-up comment was too long:
I do think forbidding the ANY request would probably lower the chance of abuse, because you are probably not the object of anything specific. So, if the attacker is using ANY requests, stopping them will stop the attack through you, and the attacker will not care or even notice. BUT what you should do is limit the right to make requests using an ACL, including only your friends' IPs, as explained above. Then you will not be an open resolver. Either the trojan is spoofing an IP that does not belong to a friend of yours, and you will not reply to it, or by some bizarre chance one of your friends will get hit by an attack because of your trojaned friend, but as long as you don't have millions of friends that should be OK.
I'll anticipate your question: your friends have dynamic IPs. That's not easy to answer; if there is a compelling reason that your friends cannot use the DNS server provided by their DHCP, or else something like OpenDNS or Google's 8.8.8.8 or a full-out VPN, I think that something like dnscrypt may be the solution.
Of course, if your friends get trojaned, worrying about their DNS security should probably take second place to host security.
