The researchers determined that 35% of open resolvers are open to the attack, as well as four of six home routers made by well-known brands.
They also found that 12 of 14 popular public resolvers (now 11—Cloudflare says they’ve corrected their systems) are susceptible. Even a patched DNS server could be made vulnerable by an unpatched or misconfigured NAT gateway.
Their 19-page paper on the exploit includes lists of devices and services tested. They have since set up a SAD DNS website featuring a Q&A and a tool that anyone can use to determine whether their DNS is vulnerable.
The flaw is being tracked as CVE-2020-25705, and affects Linux 3.18 – 5.10, Windows Server 2019 version 1809 and newer, macOS 10.15 and newer, and FreeBSD 12.1.0 and newer. The researchers did not test earlier versions of the listed operating system.