The way we did it in the Zonemaster project was to send the name server in question a SOA query with the RD flag set for the almost certainly non-existent name xx--domain-cannot-exist.xx--illegal-syntax-tld. If the response is NXDOMAIN, the name server has performed a recursive query and is therefore an open recursor. If the response is something else (REFUSED, SERVFAIL or referral to root are common) it is fine.
2
solved How to know if a DNS server is an open resolver?