In an article posted by Domain Tools, they discuss the transfer of malicious files through DNS. It works much the same way as html smuggling or registry smuggling where a file is encoded in hexadecimal or Base64 text. This text is then placed in a DNS TXT record. All the malicious actor needs to do then is to somehow get the client to query the FQDN of the text record and the transfer of the malicious content would be accomplished by DNS resolution. This transfer would be through DNS traffic and not through a connection to a website.
The article says this is currently theoretical and there’s not been malicious activity of this type seen so far that they’re aware of. The biggest question is exactly how the malicious actor could trigger a client to query DNS and assemble the code into a malicious file and execute it. Would this take an executable program or script to do this? If so, then most organizations should be pretty well protected already. However, using “click-fix” techniques we’ve seen recently that puts data into a Windows computer’s clipboard and providing instructions to open a Windows Run prompt and pasting the text into it to execute, I can see where they could put into the clipboard an nslookup command that pulls multiple TXT records down and writes them to a file and runs it. Ultimately, the most likely vector to get the command into the Windows clipboard would be through a malicious website, whether that is through a newly registered domain or a compromised website. Looking through all the steps involved in this attack vector, organizations would be relying on web filtering to prevent clipboard portion and on endpoint protection to protect against whatever malware has been transferred through DNS. I’m wondering if DNSSEC can assist in protection against this. I don’t believe that would help us. Given we fully trust the DNS servers our systems use for name resolution and nothing I’m currently aware of examines DNS traffic for malicious intent, this vector appears pretty wide open.
–Matt