I deployed a toy OSS DC/OS 1.11.1 cluster over the weekend on 3 VPS machines that I had available (each one being public to the internet). And after a few hours I got an alert from my provider that my master node was participating in a DDoS reflection attack using DNS amplification.
Digging in, I found out that indeed dcos-net is blindly forwarding DNS requests to the upstream DNS servers. I am assuming that's the spartan service?
Regardless of the cluster configuration (ex. airtight or exposed), I think that sparan should validate that the DNS request comes from within the cluster, before forwards it to the upstream DNS servers.