What are the key indicators that a DNS server is being used in a spoofed request amplification DDoS attack?

Indicators include a sudden, massive increase in DNS query volume, particularly for records like ANY, which request all record types. High rates of DNS responses to a single IP address, especially if that IP isn't a known DNS server, are also telltale signs. Monitoring for queries with spoofed source IPs (those that don't match expected network ranges) is crucial. Unusual DNS query patterns, like a surge in queries for non-existent domains, can also indicate an attack.