Most ISPs do not check the source address of the packet it routes, only the destination. And DNS is mainly using UDP which does not require any handshaking to take place. So a normal DNS lookup consists of a single package from the client to the server and then the server sends a package with the response back to the address listed in the source field of the received package. A DNS reflection attack takes advantage of this by faking the source address of the first request to be that of the victim. The DNS server will then send a response to the victim thinking it was the source of the original request. And because DNS responses are usually bigger then requests the victim will receive a lot more traffic from DNS servers then the attacker will send to the DNS servers.