Malware in DNS: When Legitimate Traffic Becomes a Hidden Channel

The Domain Name System (DNS) is one of the pillars of the Internet. Thanks to it, we can type a name like google.com and get its IP address without memorizing long strings of numbers. But what is a fundamental piece of connectivity for everyone can be turned by attackers into a secret communication channel.

In this post, we explore how malware abuses DNS —particularly TXT records— to exfiltrate data or receive command and control (C2) instructions. This technique is well-documented in DomainTools’ Malware in DNS , which we use here as a reference.

What Are TXT Records?

DNS supports multiple record types. One of them, the TXT record, allows arbitrary text to be associated with a domain.

A legitimate example:

example.com IN TXT "v=spf1 include:_spf.google.com ~all"

Here, TXT is used for email configuration (SPF).

Malware + DNS = A Covert Channel

Attackers can exploit the fact that DNS traffic is usually allowed in most corporate networks. Common techniques include:

1. Data Exfiltration Malware splits sensitive information into chunks, encodes it (Base32, Base64, hex), and sends it inside subdomains.

cGFzc3dvcmQ=.stolen.example.com

(Which decodes to password in Base64).

2. Commands via TXT Records The malicious server responds with a TXT record containing instructions for the malware.

response.example.com IN TXT "cmd=download&file=malware.exe"

3. Evasion of Controls Since DNS queries are rarely blocked or deeply inspected, these techniques can bypass traditional firewalls.

The Role of Regular Expressions

A key step in detecting suspicious traffic is to spot unusual patterns in DNS records:

• Subdomains with long character strings [A-Za-z0-9+/=] → likely Base64.

• Queries with large hexadecimal blocks [0-9A-F]{16,} → potential binary exfiltration.

• TXT records with key=value structures → could be hidden commands.

Regular expressions make it possible to automate the search for these patterns in large volumes of logs.

Simple regex example:

^[0-9a-f]{16,}\.

This matches subdomains that look like hexadecimal data.

Why It Matters

This kind of abuse shows that attackers don’t always need exotic channels to steal information: exploiting basic protocols we all rely on is often enough. That’s why monitoring DNS traffic and applying pattern-based detection is crucial in any security strategy.

Conclusion

Malware in DNS is a reminder that even the most trusted protocols can be weaponized when attackers get creative. The DomainTools report is an excellent starting point to dive deeper into this subject and see how these techniques have evolved.