{"id":255,"date":"2025-08-07T10:41:52","date_gmt":"2025-08-07T15:41:52","guid":{"rendered":"https:\/\/freshphish.info\/?p=255"},"modified":"2025-08-07T10:41:52","modified_gmt":"2025-08-07T15:41:52","slug":"dns-as-an-attack-vector","status":"publish","type":"post","link":"https:\/\/freshphish.info\/?p=255","title":{"rendered":"DNS as an Attack Vector"},"content":{"rendered":"\n<p>In an article posted by <a href=\"https:\/\/dti.domaintools.com\/malware-in-dns\/\" target=\"_blank\" rel=\"noopener\" title=\"\">Domain Tools<\/a>, they discuss the transfer of malicious files through DNS. It works much the same way as <a href=\"https:\/\/freshphish.info\/?p=73\" target=\"_blank\" rel=\"noopener\" title=\"\">html smuggling<\/a> or <a href=\"https:\/\/freshphish.info\/?p=146\" target=\"_blank\" rel=\"noopener\" title=\"\">registry smuggling<\/a> where a file is encoded in hexadecimal or Base64 text. This text is then placed in a DNS TXT record. All the malicious actor needs to do then is to somehow get the client to query the FQDN of the text record and the transfer of the malicious content would be accomplished by DNS resolution. This transfer would be through DNS traffic and not through a connection to a website.<\/p>\n\n\n\n<p>The article says this is currently theoretical and there\u2019s not been malicious activity of this type seen so far that they\u2019re aware of. The biggest question is exactly how the malicious actor could trigger a client to query DNS and assemble the code into a malicious file and execute it. Would this take an executable program or script to do this? If so, then most organizations should be pretty well protected already. However, using &#8220;<a href=\"https:\/\/www.cybermaxx.com\/resources\/clickfix-explained-how-threat-actors-use-clipboard-hijacking-to-breach-systems\/\" target=\"_blank\" rel=\"noopener\" title=\"click-fix\">click-fix<\/a>&#8221; techniques we\u2019ve seen recently that puts data into a Windows computer\u2019s clipboard and providing instructions to open a Windows Run prompt and pasting the text into it to execute, I can see where they could put into the clipboard an nslookup command that pulls multiple TXT records down and writes them to a file and runs it. Ultimately, the most likely vector to get the command into the Windows clipboard would be through a malicious website, whether that is through a newly registered domain or a compromised website. Looking through all the steps involved in this attack vector, organizations would be relying on web filtering to prevent clipboard portion and on endpoint protection to protect against whatever malware has been transferred through DNS. I&#8217;m wondering if DNSSEC can assist in protection against this. I don&#8217;t believe that would help us. Given we fully trust the DNS servers our systems use for name resolution and nothing I&#8217;m currently aware of examines DNS traffic for malicious intent, this vector appears pretty wide open.<\/p>\n\n\n\n<p>&#8211;Matt<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In an article posted by Domain Tools, they discuss the transfer of malicious files through DNS. It works much the<\/p>\n<p><a href=\"https:\/\/freshphish.info\/?p=255\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\">DNS as an Attack Vector<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[68,72,69,70,46,71],"class_list":["post-255","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-attack-vector","tag-clickfix","tag-dns","tag-html-smuggling","tag-malware-delivery","tag-registry-smuggling"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/freshphish.info\/index.php?rest_route=\/wp\/v2\/posts\/255","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/freshphish.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/freshphish.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/freshphish.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/freshphish.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=255"}],"version-history":[{"count":1,"href":"https:\/\/freshphish.info\/index.php?rest_route=\/wp\/v2\/posts\/255\/revisions"}],"predecessor-version":[{"id":256,"href":"https:\/\/freshphish.info\/index.php?rest_route=\/wp\/v2\/posts\/255\/revisions\/256"}],"wp:attachment":[{"href":"https:\/\/freshphish.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/freshphish.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/freshphish.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}