DNS Protocols

Adversaries leverage the DNS protocol suite for command and control (C2) operations as part of their strategy to deepen control within compromised environments. Following initial access and establishment of a foothold, threat actors exploit the ubiquitous nature of DNS traffic—which is permitted in most network environments and frequently lacks deep packet inspection—to establish covert communication channels between compromised systems and their command infrastructure. This C2 approach involves encoding commands within DNS queries (such as TXT, MX, or A records) and extracting responses from DNS resolution replies, effectively tunneling command traffic through a protocol that security controls typically allow with minimal scrutiny. DNS-based C2 channels benefit from the protocol's hierarchical resolution process, which may involve multiple nameservers, providing adversaries with opportunities to obscure the true destination of their communications. Advanced implementations may incorporate techniques such as DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to add encryption layers, further complicating detection efforts by security monitoring systems designed to inspect plaintext DNS traffic.