nerdexam
GIAC

GCIH · Question #813

How do DNS tunneling tools like DNSCat2 avoid DNS caching?

The correct answer is C. Generate many unique subdomains. DNS tunneling tools generate large numbers of unique subdomains so that each query is treated as a new lookup, bypassing DNS caches that would otherwise block repeated queries from reaching the attacker's server.

Malware Analysis & Advanced Persistent Threats

Question

How do DNS tunneling tools like DNSCat2 avoid DNS caching?

Options

  • AUse a different UDP port than 53
  • BSend packets at regular intervals
  • CGenerate many unique subdomains
  • DEncrypt the DNS queries

How the community answered

(36 responses)
  • A
    3% (1)
  • B
    8% (3)
  • C
    78% (28)
  • D
    11% (4)

Why each option

DNS tunneling tools generate large numbers of unique subdomains so that each query is treated as a new lookup, bypassing DNS caches that would otherwise block repeated queries from reaching the attacker's server.

AUse a different UDP port than 53

Standard DNS operates on UDP port 53; using a different port would break normal DNS resolution and would not interact with caching mechanisms at all.

BSend packets at regular intervals

Sending packets at regular intervals does not affect cache lookup behavior, since caching is keyed on domain name uniqueness, not query timing.

CGenerate many unique subdomainsCorrect

DNS resolvers cache responses keyed to the exact fully-qualified domain name queried. By encoding data payloads into randomly generated subdomains (e.g., a1b2c3.attacker.com, d4e5f6.attacker.com), DNSCat2 ensures no two queries are identical, so no cached response exists and every packet must be resolved all the way to the attacker's authoritative name server. This preserves the bidirectional covert channel and is a defining characteristic of DNS tunneling evasion.

DEncrypt the DNS queries

Standard DNS queries are not encrypted (absent DoH/DoT), and encrypting query content would not prevent caching - caching is based on the domain name in the query, not the payload.

Concept tested: DNS tunneling cache evasion via unique subdomain generation

Source: https://attack.mitre.org/techniques/T1071/004/

Topics

#DNS tunneling#DNSCat2#C2 communication#cache evasion

Community Discussion

No community discussion yet for this question.

Full GCIH Practice