New Research Reveals Sophisticated Abuse of DNS Infrastructure, Urging Immediate Action to Strengthen Defenses

ADAMnetworks, a leading innovator of zero trust security solutions, has uncovered a critical vulnerability in the Domain Name System (DNS), where attackers are exploiting TXT records to conceal and distribute malware, bypassing conventional security measures. Detailed findings highlight how this technique leverages the versatility of DNS TXT records, transforming a foundational internet protocol into a stealthy tool for malicious activities.

Vulnerability Overview

DNS TXT records, originally designed for arbitrary text data such as email authentication (SPF, DKIM, DMARC) and domain verification, have become a target for cybercriminals. Attackers encode malware into hexadecimal or base64 chunks, distribute these across multiple TXT records in subdomains, and reassemble them on infected devices via innocuous DNS queries. This method avoids traditional detection mechanisms like antivirus software, email filters, and firewalls, as DNS traffic is rarely scrutinized for malicious content. This technique, while not entirely novel in concept, has been treated as a theoretical threat only, until the discovery of recent executions that pose significant risks to organizations worldwide.

Recent reports confirm this approach is being used for malware assembly, command-and-control (C2) communications, and data exfiltration, posing a significant threat to enterprise security. A report from DomainTools, titled "Malware in DNS," reveals how an actor used TXT records to store and potentially deliver ScreenMate malware and stagers for Covenant C2 frameworks as far back as 2021-2022, but the technique's resurgence underscores its evolving threat. Similarly, Infoblox's analysis, "DNS: A Small but Effective C2 System," explains how attackers control authoritative name servers to manipulate DNS queries for exfiltrating data or issuing commands, transforming a foundational internet protocol into a "small but effective" C2 tool.

"DNS TXT records are like the Swiss Army knife of domain data. Versatile for everything from spam prevention to software licensing, but this versatility makes them a prime target for abuse," said David Redekop, Founder and CEO of ADAMnetworks, a Zero Trust Connectivity technology company that is familiar with the issue. "By assembling malware on the fly via DNS, attackers evade endpoint protections, making this a blind spot for many defenses."

Detailed Findings from Passive DNS Analysis

ADAMnetworks, through its DNS threat intelligence sharing program, analyzed TXT record queries over the past year, revealing both legitimate and malicious patterns across over 14,000 unique fully qualified domain names (FQDNs) with more than 10 TXT queries each. Their findings highlight legitimate uses of TXT records remain widespread and essential, including: SPF, DKIM, and DMARC for email security, domain ownership verification for services like Google Workspace and SSL certificates, protocols such as S/MIME and TLSA for authentication, and automation for ACME certificate issuance and geolocation for content delivery networks (CDNs).

However, Redekop also exposed questionable activities, such as private IP leaks in fully qualified domain names (FQDNs) and unusual queries for non-public suffixes like "id.server," which could be weaponized if exploited further. Non-common applications that include Bittorrent signaling and DNS tunneling via apps like SlowDNS on Android were also identified which could be used for data exfiltration.

Malware assembly and C2 data as reported by DomainTools and Infoblox reveals attackers are using TXT records to store fragmented malware payloads and establish C2 channels. For instance, DomainTools identified the domain whitetreecollective[.]com hosting chunks of the Joke Screenmate malware in TXT records, which could be reassembled via DNS queries. Infoblox highlighted similar tactics for deploying Cobalt Strike beacons and other remote access tools.

These findings underscore the dual nature of TXT records as both essential tools for network functionality and potential vectors for sophisticated cyberattacks. Notably, the data reflects queries, not necessarily successful lookups, as many were blocked by domain risk policies.

Implications and Risks

The abuse of DNS TXT records exploits a critical blind spot in cybersecurity, as DNS traffic is often treated as benign and essential, escaping the scrutiny applied to web or email traffic. The rise of encrypted DNS protocols like DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) further complicates detection, as they obscure query content from traditional monitoring tools.

Mitigation Strategies

To mitigate this threat, experts recommend a "block all, allow some" strategy. ADAMnetworks, in their adam:ONE Zero Trust Connectivity (ZTc) platform (version 4.14.2-266 and later), now enables policy-based blocking of TXT records while allowing exemptions for trusted domains through forwarding rules. This ensures internal networks and critical applications remain functional without exposing vulnerabilities like DNS rebinding attacks. Organizations are advised against blanket blocks on public resolvers, as they could disrupt global internet functionality, but targeted policies on-premises offer a practical safeguard.

As cyber threats evolve, this DNS abuse highlights the need for a proactive security posture that is not defeated by detection evasion and to implement adaptive security measures. Security teams should audit TXT record queries, implement protective DNS services, and stay informed on emerging techniques to protect themselves from the abuse of this versatile yet vulnerable tool.

For further details, refer to ADAMnetworks’ report alongside research from DomainTools and Infoblox

About ADAMnetworks

ADAMnetworks specializes in Zero Trust Connectivity solutions to ensure the highest level of security. Our core offerings include a Default Deny-All security platform that utilizes AI-driven dynamic allowlisting and our patented egress control technology to proactively defend against cyber threats. To learn more about our platform, visit https://adamnet.works/

View source version on businesswire.com: https://www.businesswire.com/news/home/20250909723049/en/