Since DNS is so critical to normal network operations most networks will implicitly trust whichever recursive NS is configured with DHCP. These two points are both very important when considering DNS as a C2 channel.įirst, the Recursive NS is effectively acting to proxy traffic between the client and the remote name servers. Note right of Recursive NS: answer in cache So the next time you or any other client makes the same DNS query the NS will answer from its local cache instead of querying other name servers. Once it has performed this work once it will cache the answer for a period of time. All these requests would quickly overwhelm servers if they were done every time so the above sequence of events only happens if your Recursive NS doesn’t already know an answer. For instance, you may choose to use one of the servers provided by large companies such as Cloudflare (1.1.1.1) or Google (8.8.8.8).īehind the scenes, your Recursive NS is doing a lot of work for you. Though you can also set your DNS servers manually. This name server is usually given to your computer when it connects to a network through DHCP. The Client (your computer) only talks with its configured Recursive Name Server (NS). Recursive NS->Google NS: A for ?Įverything going on might not yet be clear, but there are two things to notice first. DNS based C2 is different as the communication utilizes the DNS infrastructure to communicate instead.Ī normal DNS request for goes like this: This makes it easier to detect and track down.
Many command & control (C2) channels communicate directly with an attacker-controlled system. Leverage frequency analysis to identify systems using DNS for C2.
0 kommentar(er)
