GCIH · Question #813
How do DNS tunneling tools like DNSCat2 avoid DNS caching?
The correct answer is C. Generate many unique subdomains. DNS tunneling tools generate large numbers of unique subdomains so that each query is treated as a new lookup, bypassing DNS caches that would otherwise block repeated queries from reaching the attacker's server.
Question
How do DNS tunneling tools like DNSCat2 avoid DNS caching?
Options
- AUse a different UDP port than 53
- BSend packets at regular intervals
- CGenerate many unique subdomains
- DEncrypt the DNS queries
How the community answered
(36 responses)- A3% (1)
- B8% (3)
- C78% (28)
- D11% (4)
Why each option
DNS tunneling tools generate large numbers of unique subdomains so that each query is treated as a new lookup, bypassing DNS caches that would otherwise block repeated queries from reaching the attacker's server.
Standard DNS operates on UDP port 53; using a different port would break normal DNS resolution and would not interact with caching mechanisms at all.
Sending packets at regular intervals does not affect cache lookup behavior, since caching is keyed on domain name uniqueness, not query timing.
DNS resolvers cache responses keyed to the exact fully-qualified domain name queried. By encoding data payloads into randomly generated subdomains (e.g., a1b2c3.attacker.com, d4e5f6.attacker.com), DNSCat2 ensures no two queries are identical, so no cached response exists and every packet must be resolved all the way to the attacker's authoritative name server. This preserves the bidirectional covert channel and is a defining characteristic of DNS tunneling evasion.
Standard DNS queries are not encrypted (absent DoH/DoT), and encrypting query content would not prevent caching - caching is based on the domain name in the query, not the payload.
Concept tested: DNS tunneling cache evasion via unique subdomain generation
Source: https://attack.mitre.org/techniques/T1071/004/
Topics
Community Discussion
No community discussion yet for this question.