Hackers are exploiting DNS records as a covert channel to deliver and control malware while evading security defenses^[1]. In a recent discovery, attackers converted malware into hexadecimal code and split it across hundreds of DNS TXT records, allowing retrieval through seemingly innocent DNS queries^[2].

This technique transforms DNS into an unconventional file storage system, taking advantage of the fact that DNS traffic is rarely monitored closely by security tools^[3]. The malware is broken into chunks and stored in TXT records of subdomains, which are traditionally used for domain verification^[1:1].

Three key ways attackers abuse DNS:

1. DNS Tunneling - Packaging malware and commands inside DNS queries to bypass firewalls^[4]
2. Command & Control - Using DNS to establish covert communication channels with infected systems^[5]
3. Data Exfiltration - Stealing sensitive data by encoding it in DNS requests^[4:1]

The threat is growing more sophisticated with encrypted DNS protocols like DoH (DNS over HTTPS) and DoT (DNS over TLS), which make detection even harder^[1:2]. According to Ian Campbell of DomainTools, “Even sophisticated organizations with their own in-network DNS resolvers have a hard time delineating authentic DNS traffic from anomalous requests”^[6].

Protection requires:

• DNS traffic inspection and filtering
• Monitoring for suspicious domain patterns
• Analysis of DNS query volumes and behaviors
• Implementation of DNS security extensions (DNSSEC)^[7]