DNS as a Weapon: The Most Abused Protocol in Cyber Security History

Before we get started,

It’s been a little while since the last edition, we’ve been tied up with Pentesting assessments, but we're glad to be back. Let’s get right into it.

When we think about the internet, we picture websites, apps, and services, the visible layers we interact with every day. But beneath it all runs a hidden system that keeps everything connected: DNS, the Domain Name System.

DNS it has become one of the most systematically abused technologies in cyber history.

In this edition, we’ll explore how attackers weaponize DNS, from tunneling, beaconing and fast‑flux. Why defenders often miss it and the blind spots this creates, and finally, the practical steps blue teams can take to detect and disrupt DNS abuse before it escalates.

Everyone uses DNS. Most forget to watch it. Attackers never do.

Why DNS Matters more than Ever

DNS, the Domain Name System, is the internet’s address book. Every time you load a website, your system uses DNS to turn a human-readable domain (like example.com) into an IP address that your computer understands.

It’s essential. It’s everywhere. And it’s dangerously under-monitored.

So why is DNS a weapon?

Because:

• It’s allowed on nearly every network

• It's often overlooked by defenders

• Attackers can hijack it for stealthy command & control, exfiltration, persistence, and more.

Think of DNS not as just infrastructure, but as a covert channel that can be exploited by both nation-state APTs and cybercriminals alike.

With studies indicating that 90% of malware uses DNS somewhere in its kill chain and 95% relies on DNS for command‑and‑control, the rise of encrypted DNS protocols like DNS‑over‑HTTPS (DoH) and DNS‑over‑TLS (DoT)* has only compounded detection challenges.

*We’ll define these terms below.

How Attackers Abuse DNS at Every Stage

Let’s walk through the attack lifecycle to see how DNS becomes a Swiss Army knife for adversaries:

Reconnaissance:

• Attackers enumerate subdomains to map your infrastructure

• Misconfigured DNS entries (like exposed development domains or internal zones) can give away too much

Delivery & Infrastructure:

• Domains are used to host malware, act as phishing links, or host redirectors for social engineering

• Attackers use Fast Flux DNS, rapidly changing IP addresses behind a single domain, to stay ahead of takedowns

Command & Control (C2):

• Instead of talking to a C2 server over HTTP or HTTPS, malware encodes messages inside DNS queries

• This makes malicious activity blend in with normal web browsing

Data Exfiltration:

• Files can be encoded into DNS request packets and exfiltrated chunk-by-chunk using long subdomains

Tunneling, Beaconing, and other DNS Attacks Explained

Let’s explore some of the most common offensive DNS techniques:

1. DNS Tunneling

Use case: Getting data out or keeping command channels alive in a restricted network

How it works: An attacker encodes data into the DNS queries themselves. The queries get forwarded by the victim’s resolver to an attacker-controlled DNS server, which can decode and respond.

Example:

2. Domain Generation Algorithms (DGAs)

Use case: Creating hundreds of fake domains so malware can always "find home"

How it works: Instead of hardcoding a single C2 domain (which defenders could block), malware generates domains on the fly and the attacker registers one of them each day.

3. Fast Flux DNS

Use case: Resilience. Keep hosting malware even if some IPs get shut down.

How it works: A single domain is linked to dozens or hundreds of changing IPs, often pointing to compromised systems. DNS TTLs are set very low, constantly rotating.

Used by: Phishing kits, spam botnets, malware delivery infra

4. Beaconing Over DNS

Use case: Have infected machines periodically “check in” with their controller

How it works: Malware sends periodic DNS queries with encrypted data in the subdomain. The attacker sees these queries and knows the host is still active.

Example:

5. DNS Amplification Attacks (DDoS at Scale)

Not every abuse of DNS is about stealth. Sometimes, attackers weaponize it for sheer force.

DNS amplification attacks exploit open resolvers, misconfigured DNS servers that respond to anyone, to flood victims with massive amounts of traffic. A small query (like 60 bytes) can trigger a huge response (up to 4,000 bytes), creating an amplification factor of 50x or more.

INFORMATION SECURITY SERVICES

Secure your business before threat actors strike. Get a Quote Now!

Learn More: https://www.blackhatethicalhacking.com/solutions/

The Evolution of DNS Abuse

Modern DNS: DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)

DNS was originally plain text. Every query, every response, visible on the wire. That made it easier for defenders to monitor, but also easier for attackers to abuse undetected if no one was watching.

Then came DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), marketed as privacy features. They encrypt DNS traffic, hiding queries inside HTTPS streams. Good for user privacy. Bad for defenders who lose visibility.

Attackers now exploit DoH by sending their malicious queries through legitimate DoH resolvers like Cloudflare or Google. To defenders, it looks like ordinary HTTPS traffic to a trusted service. But inside, it’s the same old C2 or exfil — just invisible to traditional DNS monitoring.

DoH is the future of DNS abuse. A stealth layer built right on top of a protocol already prone to exploitation.

Attacker OPSEC Tricks

Basic DNS tunneling is noisy. Security teams can catch it if they’re looking. But mature attackers add layers of operational security (OPSEC) to hide their tracks.

• Entropy padding: adding random junk to subdomains to defeat pattern detection.

• Multi-stage fallback: beaconing first over HTTP, then switching to DNS if blocked, and finally to DoH if both fail.

• Using legitimate infrastructure: compromised domains, dynamic DNS services, or even hijacked subdomains of trusted companies.

• TTL randomization: making beacon intervals unpredictable to frustrate anomaly detection.

These tricks aren’t theoretical. They’re in use today, making malicious DNS look like background noise until it’s too late.

DNS in Attack Path Chaining

DNS abuse rarely stands alone. It’s usually woven into a larger intrusion campaign.

Think of a phishing attack that drops malware. That malware beacons out over DNS to confirm infection. Once inside, it switches to DNS tunneling to exfil small pieces of data. Later, it escalates to DoH for persistence.

DNS is the connective tissue, not flashy, not obvious, but essential. It ties initial access to persistence, C2, and exfiltration. Without DNS, many campaigns would fall apart. With it, they become almost invisible.

The Defender’s Reality

Why most Defenders miss DNS Abuse

Here’s the trap:

• Most organizations don't log DNS traffic

• EDRs often ignore DNS (or just log the resolver used)

• DNS traffic is often allowed everywhere, even when HTTP/S is blocked

Attackers love this. It gives them:

• Stealth

• Flexibility

• Persistence

Real Defender Blind Spots

It’s easy to say “just log DNS.” But in practice, most organizations stumble on the basics:

• Reliance on ISP or external resolvers → If your traffic goes straight to Google or Cloudflare, you have no visibility.

• Split-brain DNS → Internal vs external resolution means defenders often see only half the picture.

• Recursive resolvers without logging → Queries are answered, but the trail vanishes.

• SOC fatigue → DNS alerts get buried under mountains of HTTP and endpoint noise.

These blind spots aren’t rare, they’re everywhere. And attackers count on it. DNS isn’t just abused because it’s clever, it’s abused because defenders rarely have the full view.

How Defenders can Fight Back

DNS abuse isn’t inevitable. The problem isn’t that defenders lack tools, it’s that DNS often gets left off the priority list. A few focused moves can make attackers’ lives a lot harder:

• Log DNS traffic on your own resolvers instead of relying on external ones.

• Look for the weird stuff, long subdomains, repeated TXT queries, or high volumes of NXDOMAIN results.

• Pay attention to timing, malware doesn’t sleep like humans; beaconing shows up as clockwork‑like patterns.

• Don’t ignore dynamic DNS, attackers love it because it blends in with legitimate traffic.

• Correlate DNS with endpoints, a suspicious query means more when you know which process triggered it.

Attackers abuse DNS because they assume no one’s watching. Start watching, and you force them to burn more effort, more infrastructure, and more OPSEC. That alone can be enough to tip the balance.

Case Study – DNS in the SUNBURST Attack

In the infamous SolarWinds SUNBURST breach (2020), attackers used DNS beaconing to:

1. Collect victim metadata

2. Encode it into DNS queries

3. Wait for a signal from their infrastructure to escalate

The trick? The malware only advanced the attack if DNS responses came back in a certain way, using CNAME records for stealth pivoting.

This showed how DNS can be part of a full decision-making logic for the malware, not just a tunnel.

Last Thoughts: DNS is the Battleground you forgot about

DNS was never designed for security. It was designed for speed, reliability, trust and that’s exactly why attackers love it. To an adversary, DNS is more than an address book. It’s an open lane through firewalls, a covert channel for stolen data, and a resilient backbone for command‑and‑control.

The uncomfortable truth is that most organizations don’t even look at it. That’s why attackers keep coming back to DNS: not because it’s clever, but because it works.

If you take one thing from this edition, it’s this: DNS abuse isn’t theoretical, it’s operational. It’s happening right now, in enterprises, in governments, and maybe even in your own network, quietly, invisibly and often without a single alert firing.

Awareness is the first step. The next is action. Because as long as DNS remains a blind spot, attackers will keep turning the internet’s nervous system into their weapon of choice.

Thanks for reading. Hopefully this gave you something useful to take back to your team, or your own mindset. Until next time.

🧠 Posts you might’ve Missed:

• 12 Recon-ng Commands you should know: https://www.linkedin.com/feed/update/urn:li:activity:7305221444152578048/

• 16 Recon-ng Modules you should know: https://www.linkedin.com/feed/update/urn:li:activity:7308135457790324738

• 14 Curl Commands you should know: https://www.linkedin.com/feed/update/urn:li:activity:7326555092621451264

• One-Liner to Detect and Exploit Subresource Integrity (SRI) Failures from a Red Team Perspective: https://www.linkedin.com/feed/update/urn:li:activity:7310667635845746688

Educational Content:

📚 Learn & Level Up

Courses:

🟢 Offensive Security & Ethical Hacking

🟢 The Bug Bounty Hunting Course

Learn More: https://www.blackhatethicalhacking.com/courses/

Exclusive Content on Patreon

WHY JOIN OUR PATREON PAGE?

Our goal is to expand your creativity as a hacker, sharpen your Red Team mindset, and push the limits of Offensive Security.

If you're comfortable with Kali Linux and understand hacking methodologies, this is for you.

WHAT YOU GET:

🟢Exclusive Monthly Content – Only available to Patrons!

🟢Hands-on Hacking Techniques – OSINT, Brute-Forcing, Fuzzing, Web App Testing and more!

🟢Deep-Dive into Offensive Security – Post-Exploitation, Recon, and Red Team strategies.

🟢Instant Access to 70+ Episodes & 30+ Hours of Content

—————

➡️Flexible Access: Subscribe for ongoing exclusive content & deep-dive series.

➡️Prefer one-time access? Purchase individual episodes/videos separately.

Learn More: https://www.patreon.com/blackhatethicalhacking

Join Our Official Discord Community Channel!

👉 https://discord.com/invite/EYMqveWXkv