{"id":11915,"date":"2025-07-16T07:55:28","date_gmt":"2025-07-16T14:55:28","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=11915"},"modified":"2025-07-16T10:21:27","modified_gmt":"2025-07-16T17:21:27","slug":"dns-a-small-but-effective-c2-system","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/dns-a-small-but-effective-c2-system\/","title":{"rendered":"DNS: A Small but Effective C2 system"},"content":{"rendered":"

Authors: Zafir Ansari and Darin Johnson<\/h3>\n

Often referred to as the \u201cphonebook of the internet,\u201d DNS translates domain names into IP addresses, allowing us to navigate the web. Its fundamental role in internet communication means DNS traffic routinely passes through corporate firewalls with minimal inspection.<\/p>\n

DNS tunneling involves encoding data within DNS queries and responses, creating a covert communication channel between a client and server. Cybercriminals leverage this method for purposes like command-and-control (C2) operations and data exfiltration, making it a concern for businesses and cybersecurity professionals alike. Understanding and mitigating DNS tunneling is no longer optional\u2014it is a necessity for safeguarding today\u2019s enterprises from evolving cyberthreats.1<\/sup><\/p>\n

In this blog, we will explore the fundamentals of DNS queries, illustrating how they typically function and how this essential process can be exploited for C2 operations and data exfiltration. We will also dive into the various families of DNS tunneling, shedding light on the techniques attackers use to bypass traditional defenses.<\/p>\n

To create a DNS C2 infrastructure, an actor must control a domain name\u2019s authoritative name server. Then, the malware on a victim system can perform periodic lookups of the domain, which, based on the responses, can cause the malware to perform different actions, such as perform a directory listing. The information from that directory listing can then be encoded as subdomain queries. Responses to those queries could be a simple acknowledgement of receipt or commands to perform additional actions. Because the malware uses the DNS system, there is no direct traffic between the malware client and the C2 server. Instead, the communication is sent through the victim system\u2019s recursive name server. Recursive name servers require the ability to communicate with authoritative name servers on the internet, so it will generally have permissive rules. Figure 1 shows the recursive DNS process, Figure 2 shows the packet capture of a DNS tunnel, and Table 1 shows a theoretical example of a DNS tunneling session.<\/p>\n

Several tools can perform DNS tunneling. Some of the most common are Cobalt Strike, DNSCat, Iodine, Pupy, and DNS Exfiltrator.<\/p>\n

\"Figure<\/p>\n

Figure 1. The typical process of how DNS operates<\/p>\n

As shown in Figure 1, when a client requests the IP address for a domain, the request is sent to a DNS recursive resolver. This resolver initiates a series of queries, starting with the top-level domain (TLD) server, which provides the address for the second-level domain (SLD). The process continues recursively until the resolver reaches the authoritative nameserver for the fully qualified domain name (FQDN). The authoritative resolver responds with the requested information, which could be an A record (IPv4 address), AAAA records (IPv6 address), TXT record (free form text), CNAME record (canonical domain name), or another type of record. The recursive resolver then returns this response to the client while caching both the query and the response for the specified time to live (TTL), ensuring faster responses for future requests. <\/p>\n\n\n\n\n\n\n\n
Type<\/th>\nDNS String<\/th>\nDecoded Content<\/th>\n<\/tr>\n<\/thead>\n
Request<\/td>\n\n 757365726e616d653a20616e64792
\n c2.070617373776f72643a20313233
\n 78797a6162632e.example.com\n <\/td>\n		username: andy, password: 123xyzabc.<\/td>\n<\/tr>\n
Response<\/td>\n\n ON2WI3ZAOJWSAL3FORRS643I
\n MFSG65YK\n <\/td>\n		Sudo rm \/etc\/shadow (delete password file)<\/td>\n<\/tr>\n
Table 1. An example encoded DNS tunnel query\/response using TXT records<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

A subdomain such as 757365726e616d653a20616e64792c2.070617373776f72643a2031323378797a6162632e.example[.]com<\/span> could be decoded to reveal sensitive information such as \u201cusername: andy, password: 123xyzabc.\u201d The server\u2019s response might include a TXT record like \u201cON2WI3ZAOJWSAL3FORRS643IMFSG65YK,\u201d which when decoded, could instruct the client to perform an action, such as sudo rm \/etc\/shadow. Similarly, attackers can encode and exfiltrate larger data, such as files, in smaller chunks using DNS, and upload malware through responses.<\/p>\n

It is important to note that C2 communication does not have to rely solely on TXT responses. Any DNS record type can be used as long as there is a consistent encoding. Common record types seen for DNS tunnels are A, AAAA, TXT, CNAME, and MX. See.List of DNS record types (Wikipedia)<\/strong><\/a> for a complete list of DNS record types<\/p>\n

Infoblox\u2019s Threat Insight machine learning algorithms2<\/sup> detect and block tunneling domains within the first few minutes of a tunnel becoming active. Generally, this happens before the handshake is completed and definitely prior to malicious C2 or exfiltration. While Threat Insight provides real-time detection on DNS tunnels in our customer networks, Infoblox Threat Intel has additional batch algorithms to detect DNS tunnels. Here we focus on our Threat Insight detector.<\/p>\n

Actors may choose to develop their own tunneling software or use common open-source tools. We group these open-source tools into DNS tunneling families. Over the past two years, we surveyed which families were most prevalent in our customer traffic. Table 2 provides an overview of some of these families, many of which have been leveraged in real-world attacks.<\/p>\n

\"Figure<\/p>\n

Figure 2: Packet capture displayed in Wireshark file exfiltration<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
Family<\/th>\nExample Queries<\/th>\nUnique Domains (%)<\/th>\n<\/tr>\n<\/thead>\n
Cobalt Strike<\/strong><\/a><\/td>\npost.a34.cde343de.a1b2c3d4.domain[.]com<\/td>\n26%<\/td>\n<\/tr>\n
DNSCat2<\/strong><\/a><\/td>\n67b1017285c8d258ff8d02000cf8da0d6e.domain
\n [.]com<\/td>\n		13%<\/td>\n<\/tr>\n
DNS Exfiltrator<\/strong><\/a><\/td>\n1.yqa5rey3ncqdozqvves3fvdutle7kkcnxntxzxg
\n 26s7yrfsdwncleip6irihksb.pbkyozoc5q2ne6ey
\n 5cgedjmteocypbv7hrpk2ge3mzauakbhg5kvjbsvv
\n asov33.o25jv4gfntbulxvidykra6gua6q5kte2sf
\n qiq7tf7jbdpexbaonxwx6lpak7eye.wmrp655fmvm
\n onexlccsxclbd7ynu7htzqjpjf.domain[.]com<\/td>\n		15%<\/td>\n<\/tr>\n
Sliver<\/strong><\/a><\/td>\nLpgekzzgoeqhrhaugtulrdbtbpgdzqpzmv8ieq26h
\n b6tq8rdscexk2atbhbizpx.ngpc4isa77znjl3afc
\n ljkswcru2tjrue8uippsywo5wciwx3iepklapemze
\n bknv.bl37n83glutyxfgjxlvplcnyn.domain[.]c
\n om<\/td>\n		12%<\/td>\n<\/tr>\n
Weasel<\/strong><\/a><\/td>\nfeiq-
\n zb3xgodutf25v7vtcsk5dxh7awwww.9c.21f9.dom
\n ain[.]com<\/td>\n		2%<\/td>\n<\/tr>\n
Pupy<\/strong><\/a>*<\/td>\nY12rmhy9.chu5zj1hwsylrrq46fxf442yf62a9999
\n .bla3rzp4nnwrfmnn2a3m3xa9[.]domain.com<\/td>\n		7% *<\/td>\n<\/tr>\n
Iodine<\/strong><\/a><\/td>\n1i5a5xl2ojglpzzggwqlqmfea4100yk2zi3nal14s
\n y3uvbadxu2uugmnbrmmat.gprzfx451baplinw3rx
\n 11og003leilo3pq5mz1uojs34xxc3swo2d1cwh.uj
\n xb4cpux1w21qzbdkwmvswr5n2fxjb2kvwfqtdnfni
\n dqnkrgjfhzcero.g45tgfvbfmzgu55cckomjgepef
\n yqtk2acpkekqdgzj00q5dk4nzt4o0[.]domain.co
\n m<\/td>\n		24%<\/td>\n<\/tr>\n
\n Table 2. Common families of DNS tunneling seen within customer traffic with typical query
\n patterns and their detection rates across open-source security tools\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

*Pupy was seen in our customer traffic, but indirectly through internet scanners. See our work on Decoy Dog<\/strong><\/a>. <\/p>\n

Cobalt Strike<\/strong><\/a> is a popular pen test tool which has a DNS C2 module. It is commonly used by red teams and threat actors.3<\/sup> It uses hex encoded queries with optional and customizable words prepended, such as \u201cpost,\u201d \u201capi,\u201d or \u201cdx.\u201d It performs beaconing using A records and C2, and exfiltration using TXT records. <\/p>\n

DNSCat2<\/strong><\/a> is a lightweight tool designed for creating encrypted DNS tunnels, commonly used by penetration testers and occasionally abused by attackers for stealthy data exfiltration. It is included within METASPLOIT, an open-source pen test tool. DNSCat2 can operate using a variety of query types, including A, TXT, CNAME, and MX records. <\/p>\n

DNS Exfiltrator<\/strong><\/a> is a proof-of-concept tool that encodes data into DNS queries for exfiltration, demonstrating the risks of DNS misuse in real-world scenarios. It uses TXT records, provides only one-directional communication, and is started via the command line. While we have seen this used to test our DNS tunneling detection, we have not seen it used by a threat actor and deem it impractical given the one-directional mechanism. <\/p>\n

Sliver<\/strong><\/a> is a cross-platform C2 framework with DNS tunneling capabilities, frequently utilized in adversary simulations and malicious campaigns. <\/p>\n

Weasel<\/strong><\/a> is a less-documented DNS tunneling tool developed by Facebook\u2019s Red Team that supports stealthy data exfiltration and C2, typically used in niche red teaming engagements. It uses A and AAAA records for communications. <\/p>\n

Pupy<\/strong><\/a> is an open-source, multi-platform RAT with DNS tunneling support, historically leveraged in espionage campaigns against government and corporate entities. It uses A records for communications. <\/p>\n

Iodine<\/strong><\/a> is a well-known tool for tunneling IPv4 traffic over DNS, used in penetration tests and sometimes abused in attacks, such as by nation-state actors for C2 purposes. Iodine uses A, TXT, CNAME, and MX records to communicate. <\/p>\n

One useful observation we made during this study was that all these families had highly unique signatures with the queries and responses they used. We incorporated these signatures at our Threat Defense Recursive DNS Resolver, which allowed us to improve our Threat Insight\u2019s machine learning algorithms from one to two minutes to detect to less than five seconds. This reduces the number of potential queries to less than 10, which eliminates even small amounts of exfiltration. <\/p>\n

In addition to the families described above, we found several other tunnels, including automated and custom pen test tools, anti-virus, anti-spam, as well as DNS tunneling demonstration tools from security vendors. <\/p>\n

Antivirus and antispam tools use DNS as a mechanism to determine if a domain or file hash may be malicious. A query may be of the form: \u201c<domain>.<guid>.<avdomain>\u201d or \u201c<file hash>.<guid>.<avdomain>\u201d with response being NXDOMAIN if the domain or file hash is not in a known malware or spam list, or \u201c127.0.0.X\u201d if it is in such a list. One might consider this to be an actual DNS tunnel. In Detecting DNS Tunneling Using Behavioral and Content Metadata Features<\/strong><\/a>, \u200b\u200bwe showed that one could train on such domains and recover tunnels such as Cobalt Strike and DNSCat2. Infoblox maintains lists of antivirus and antispam tools to avoid blocking generally useful tools. We also use them to ensure our machine learning-based tunneling algorithms are sufficiently robust to be able to detect tunnels other than those in our training set. <\/p>\n

Several automated pen testing tools, such as Cymulate<\/strong><\/a> and AttackIQ<\/strong><\/a>, have appeared. We see these tools\u2019 domains detected on our customer networks regularly. We specifically do not use them for training, add them to block lists or signature them. We rely solely on our machine learning algorithms to detect those domains. <\/p>\n

Many customers chose to write their own tools for DNS tunneling to test our software. Most resemble DNS Exfiltrator in that they are one-directional exfiltration channels. Some have taken to using unsuccessful responses, such as NXDomain and SERVFAIL. This requires a careful balancing act as one could also perform tunnel-like queries to legitimate domains and thereby cause the resolver to block all queries to a legitimate domain. To solve this problem, we ensure positive control of the name servers of the domain and otherwise downgrade the detection from DNS tunneling to DNS tunnelling notional, which we recommend such events be logged verse blocked. <\/p>\n

We have seen a few customers attempt to create bidirectional DNS tunneling tests; one interesting find included a detection event for a domain using the queries and responses in Table 3.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
Query Type<\/th>\nQuery Prefix<\/th>\nQuery Answer<\/th>\n<\/tr>\n<\/thead>\n
16<\/td>\ncgluzzey.t1.<redacted><\/td>\n\u201chello\u201d<\/td>\n<\/tr>\n
16<\/td>\ncgluzzey.t1.<redacted><\/td>\n\u201cwhoami\u201d<\/td>\n<\/tr>\n
16<\/td>\ncgluzzey.t1.<redacted><\/td>\n\u201cls -lsa\u201d<\/td>\n<\/tr>\n
16<\/td>\ncgluzzey.t1.<redacted><\/td>\n\u201ccat \/etc\/shadow\u201d<\/td>\n<\/tr>\n
1<\/td>\netrvrq.ciwsldovcnvul3n5c3rlbwq6l3vzci9zymlul25v.t1.<redacted><\/td>\n12.12.12.3<\/td>\n<\/tr>\n
1<\/td>\njxfszd.mgpetlnfegzpbhryyxrvcgpkbnnwb3quymlucmru.t1.<redacted><\/td>\n12.12.12.3<\/td>\n<\/tr>\n
16<\/td>\ncgluzzey.t1.<redacted><\/td>\n\u201caGVsbG8\u201d<\/td>\n<\/tr>\n
Table 3. Example queries from a custom DNS tunnel<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

We performed queries for domains with responses \u201cwhoami,\u201d and discovered two additional domains, which were also detected as tunnels earlier. In total, the unique answers included: \u201chostname\u201d, \u201cls\u201d, \u201caWQ\u201d, \u201cpwd\u201d, \u201cls -lsa\u201d, \u201coa\u201d, \u201cwhoami\u201d, \u201ctest\u201d, \u201chello\u201d, \u201ccat \/etc\/passwd\u201d, \u201cuname -a\u201d, \u201cwhoamid\u201d, \u201cd\u201d, \u201cia\u201d, \u201ccHdk\u201d, \u201cls -lsa \/\u201d, \u201cwhoama\u201d, \u201caGVsbG8\u201d, \u201cwhoamd\u201d, \u201cbHM\u201d, \u201ccat test.txt\u201d, \u201ccat \/etc\/shadow\u201d, \u201coda\u201d, \u201cls\u201d, \u201cexit\u201d, \u201cao\u201d, \u201cls \/\u201d, \u201ccat test.py\u201d, \u201cid\u201d, \u201cwasdasd\u201d. Later, we saw the domains with the CNAME requests and Base64 encoding. <\/p>\n

Finally, we sometimes see our customers use our competitors\u2019 DNS tunneling tools. On September 17, 2024, we observed a domain paioaltonetworks[.]tech<\/span> in our DNS exfiltration detection system, Threat Insight. At first, we thought this might be a false positive or the result of a mistyped URL in an application. However, on inspection the queries looked like: <\/p>\n

Mf9q7qgqmy003024muqg4zlxebwgk5tfnrzsa33g.paioaltonetworks[.]tech<\/span><\/p>\n

Mf9q7qgqmy006024or3w64tlebugk4tpmvzs4icp.paioaltonetworks[.]tech<\/span><\/p>\n

Mf9q7qgqmy001024ivwxa33xmvzca6lpovzcasku.paioaltonetworks[.]tech<\/span><\/p>\n

In addition, we noticed its name servers were ns1.paioaltonetworks[.]tech<\/span> and ns2.paioaltonetworks[.]tech<\/span>, and it was registered in January 2024 with OVH. <\/p>\n

Within one minute of the initial queries, the domain was blocked. We then looked at the domain in Domain Tools. Here we noted that domain has a low-risk score of 23 out of 100. This is not particularly odd for domains used in DNS exfiltration, unless there is previously published work on the domain in question. <\/p>\n

Domain Tools allows us to dig deeper into investigating the domain in question using a powerful tool: the registration pivot engine. Using the pivot engine, we observed the registrant organization is Efficient IP and there are nine other domains associated with the registrant, including rockitwith[.]me<\/span>, paioaltonetworks[.]tech<\/span>, nicecricket[.]online<\/span>, framatech[.]online<\/span>, melenchon[.]online<\/span>, redfusion[.]xyz<\/span>, efficientip[.]io<\/span>, dga[.]how<\/span>, efficientip[.]net<\/span>, efficientip[.]org<\/span>, infobiox[.]com<\/span>, efficientip[.]it<\/span>, efficientip[.]at<\/span>, efficientip[.]com<\/span>, and dns-blast[.]com<\/span>. All domains were registered with Ghandi or OVH. <\/p>\n

The website https:\/\/www.efficientip.com<\/strong><\/a> advertises Efficient IP, which offers DNS, DHCP, and IP management solutions similar to Infoblox. <\/p>\n

We observed that the domains rockitwith[.]me<\/span>, paioaltonetworks[.]tech<\/span>, and nicecricket[.]online<\/span> were all detected as DNS exfiltration by our streaming detection algorithms in Threat Insight and as suspicious\/potential exfiltration by our batch Threat Intel algorithms. <\/p>\n

The domains melenchon[.]online<\/span>, dga[.]how<\/span>, framatech[.]online<\/span>, redfusion[.]xyz<\/span>, and dns-blast[.]com<\/span> were not seen in Infoblox DNS traffic. Many of these domains have nameservers of the form \u201cns1.exf.<domain>.\u201d This domain structure resembles that of hack53[.]shop<\/span>, which was detected as DNS exfiltration in 2022. <\/p>\n

Combining DNS exfiltration and lookalike domains is a common tactic used by both malicious actors, such as Side Winder and pen testers, and we have noticed an uptick in the combination in 2024. Infoblox leads the industry in state-of-the-art techniques to detect both these behaviors and more with Infoblox Threat Defense\u2122. <\/p>\n

Due to the lookalike nature of paioaltonetworks[.]tech<\/span> and infobiox[.]com<\/span> we did add these to our suspicious feeds. We continue to rely on our machine learning-based detections for the other Efficient IP domains.<\/p>\n

Footnotes:<\/h3>\n
    \n
  1. What Is DNS Tunneling?<\/strong><\/a>, Infoblox.<\/li>\n
  2. Detecting DNS Tunneling Using Behavioral and Content Metadata Features<\/strong><\/a>, Johnson, Darin, Software Engineering Institute, Carnegie Mellon University, February 6, 2023.<\/li>\n
  3. DNS Early Detection – Cobalt Strike DNS C2<\/strong><\/a>, Zuckerman, Michael, Infoblox, March 22, 2024.<\/li>\n<\/ol>\n

    \u200b\u200b <\/p>\n