Description
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)
DNS beaconing may be used to send commands to remote systems via DNS queries. A DNS beacon is created by tunneling DNS traffic (i.e. Protocol Tunneling). The commands may be embedded into different DNS records, for example, TXT or A records.(Citation: OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government) DNS beacons may be difficult to detect because the beacons infrequently communicate with infected devices.(Citation: DNS Beacons) Infrequent communication conceals the malicious DNS traffic with normal DNS traffic.
Platforms
Mitigations (2)
Filter Network TrafficM1037
Consider filtering DNS requests to unknown, untrusted, or known bad domains and resources. Resolving DNS requests with on-premise/proxy servers may also disrupt adversary attempts to conceal data within DNS packets.
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used [Cobalt Strike](https://attack.mitre.org/software/S0154) to encapsulate C2 in DNS traffic.(C... |
| G0140 | LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has leveraged dynamic DNS providers for C2 communications.(Citation: MalwareBytes LazyScripter F... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used DNS for C2 communications.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has used DNS tunneling for C2.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Coba... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used DNS for C2 including the publicly available <code>requestbin.net</code> tunneling service.(Ci... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) malware RoyalDNS has used DNS for C2.(Citation: NCC Group APT15 Alive and Strong) |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used remote access tools that leverage DNS in communications with C2.(Citation: BitDefender Chafer ... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has used DNS tunnelling tools, such as dnscat/2 and Iodine, for C2 purposes.(Citation: CISA GRU291... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081)'s backdoor has communicated to the C2 over the DNS protocol.(Citation: TrendMicro Tropic Troop... |
| G0026 | APT18 | [APT18](https://attack.mitre.org/groups/G0026) uses DNS for C2 communications.(Citation: PaloAlto DNS Requests May 2016) |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has performed C2 using DNS via A, OPT, and TXT records.(Citation: FireEye FIN7 Aug 2018) |
Associated Software (43)
| ID | Name | Type | Context |
|---|---|---|---|
| S0477 | Goopy | Malware | [Goopy](https://attack.mitre.org/software/S0477) has the ability to communicate with its C2 over DNS.(Citation: Cybereason Cobalt Kitty 2017) |
| S0269 | QUADAGENT | Malware | [QUADAGENT](https://attack.mitre.org/software/S0269) uses DNS for C2 communications.(Citation: Unit 42 QUADAGENT July 2018) |
| S0354 | Denis | Malware | [Denis](https://attack.mitre.org/software/S0354) has used DNS tunneling for C2 communications.(Citation: Cybereason Oceanlotus May 2017)(Citation: Sec... |
| S0663 | SysUpdate | Malware | [SysUpdate](https://attack.mitre.org/software/S0663) has used DNS TXT requests as for its C2 communication.(Citation: Lunghi Iron Tiger Linux) |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) can cloak command and control traffic in DNS records from legitimate services to avoid reputation-... |
| S0146 | TEXTMATE | Malware | [TEXTMATE](https://attack.mitre.org/software/S0146) uses DNS TXT records for C2.(Citation: FireEye FIN7 March 2017) |
| S1020 | Kevin | Malware | Variants of [Kevin](https://attack.mitre.org/software/S1020) can communicate over DNS through queries to the server for constructed domain names with ... |
| S1015 | Milan | Malware | [Milan](https://attack.mitre.org/software/S1015) has the ability to use DNS for C2 communications.(Citation: ClearSky Siamesekitten August 2021)(Citat... |
| S0377 | Ebury | Malware | [Ebury](https://attack.mitre.org/software/S0377) has used DNS requests over UDP port 53 for C2.(Citation: ESET Ebury Feb 2014) |
| S0170 | Helminth | Malware | [Helminth](https://attack.mitre.org/software/S0170) can use DNS for C2.(Citation: Palo Alto OilRig May 2016) |
| S0699 | Mythic | Tool | [Mythic](https://attack.mitre.org/software/S0699) supports DNS-based C2 profiles.(Citation: Mythc Documentation) |
| S0495 | RDAT | Malware | [RDAT](https://attack.mitre.org/software/S0495) has used DNS to communicate with the C2.(Citation: Unit42 RDAT July 2020) |
| S0184 | POWRUNER | Malware | [POWRUNER](https://attack.mitre.org/software/S0184) can use DNS for C2 communications.(Citation: FireEye APT34 Dec 2017)(Citation: FireEye APT34 Webin... |
| S0514 | WellMess | Malware | [WellMess](https://attack.mitre.org/software/S0514) has the ability to use DNS tunneling for C2 communications.(Citation: PWC WellMess July 2020)(Cita... |
| S1090 | NightClub | Malware | [NightClub](https://attack.mitre.org/software/S1090) can use a DNS tunneling plugin to exfiltrate data by adding it to the subdomain portion of a DNS ... |
| S0124 | Pisloader | Malware | [Pisloader](https://attack.mitre.org/software/S0124) uses DNS as its C2 protocol.(Citation: Palo Alto DNS Requests) |
| S1014 | DanBot | Malware | [DanBot](https://attack.mitre.org/software/S1014) can use use IPv4 A records and IPv6 AAAA DNS records in C2 communications.(Citation: SecureWorks Aug... |
| S9001 | SystemBC | Malware | [SystemBC](https://attack.mitre.org/software/S9001) has used DNS servers to resolve .bit domains to C2 infrastructure.(Citation: HarmonProofpoint_Syst... |
| S1027 | Heyoka Backdoor | Malware | [Heyoka Backdoor](https://attack.mitre.org/software/S1027) can use DNS tunneling for C2 communications.(Citation: SentinelOne Aoqin Dragon June 2022) |
| S1021 | DnsSystem | Malware | [DnsSystem](https://attack.mitre.org/software/S1021) can direct queries to custom DNS servers and return C2 commands using TXT records.(Citation: Zsc... |
Related CWE Weaknesses
References
- Galobardes, R. (2018, October 30). Learn how easy is to bypass firewalls using DNS tunneling (and also how to block it). Retrieved March 15, 2020.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Kyle Wilhoit, Robert Falcone. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved July 21, 2025.
- Palo Alto Networks. (n.d.). What Is DNS Tunneling?. Retrieved March 15, 2020.
- Vercara. (n.d.). Retrieved July 21, 2025.
Frequently Asked Questions
What is T1071.004 (DNS)?
T1071.004 is a MITRE ATT&CK technique named 'DNS'. It belongs to the Command and Control tactic(s). Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and...
How can T1071.004 be detected?
Detection of T1071.004 (DNS) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1071.004?
There are 2 documented mitigations for T1071.004. Key mitigations include: Filter Network Traffic, Network Intrusion Prevention.
Which threat groups use T1071.004?
Known threat groups using T1071.004 include: Chimera, LazyScripter, APT41, Cobalt Group, OilRig, Ke3chang, APT39, Ember Bear.