DNS Protocols
Adversaries leverage the DNS protocol suite for command and control (C2) operations as part of their strategy to deepen control within compromised environments. Following initial access and establishment of a foothold, threat actors exploit the ubiquitous nature of DNS traffic - which is permitted in most network environments and frequently lacks deep packet inspection - to establish covert communication channels between compromised systems and their command infrastructure. This C2 approach involves encoding commands within DNS queries (such as TXT, MX, or A records) and extracting responses from DNS resolution replies, effectively tunneling command traffic through a protocol that security controls typically allow with minimal scrutiny. DNS-based C2 channels benefit from the protocol's hierarchical resolution process, which may involve multiple nameservers, providing adversaries with opportunities to obscure the true destination of their communications. Advanced implementations may incorporate techniques such as DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to add encryption layers, further complicating detection efforts by security monitoring systems designed to inspect plaintext DNS traffic.
Mitigations
| ID |
Mitigation |
Description |
| M1037 |
Filter Network Traffic |
Enforce all outbound DNS through approved enterprise resolvers and block queries to newly-registered, fast-flux, or known-malicious domains. Inspect and, where policy permits, restrict DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) to prevent encrypted tunnelling channels. |
| M1031 |
Network Intrusion Prevention |
Deploy IDS/IPS signatures and ML analytics that recognise DNS tunnelling patterns such as high-entropy sub-domains, unusually large TXT/NULL records, or beacon-like query timing, automatically dropping or throttling suspect sessions. |
| M1030 |
Network Segmentation |
Isolate critical servers and prohibit direct external DNS look-ups; permit only designated forwarders to recurse on the Internet, limiting an adversary’s ability to reach external C2 infrastructure via DNS. |
Detection
| ID |
Data Source |
Detection |
| DS0029 |
Network Traffic Content |
Inspect query/response payloads for long or high-entropy sub-domains, excessive record lengths, or atypical resource-record types indicative of data exfiltration/tunnelling. Decrypt and analyse DoH/DoT where feasible. |
| DS0029 |
Network Traffic Flow |
Baseline normal DNS request volume and interval per host; alert when a workstation generates periodic queries to first-seen or low-reputation domains, or when total DNS traffic size greatly exceeds historical norms. |
| DS0038 |
Domain Name |
Monitor resolutions to dynamic-DNS, algorithmically generated, or newly-registered domains and correlate with subsequent outbound connections from the same process to expose C2 establishment. |