DNS is the New Hiding Place for Malware: Why Encryption is Making Things Worse

Over 90% of global internet traffic relies on the Domain Name System (DNS) – yet, for years, it’s been largely overlooked as a significant security risk. That’s changing. Recent discoveries reveal attackers are now actively exploiting DNS, embedding malicious code directly within its records, effectively bypassing traditional security measures. This isn’t just a theoretical threat; it’s a rapidly evolving tactic, and the increasing adoption of DNS encryption is, paradoxically, making it easier for attackers to hide in plain sight.

The Stealthy Power of TXT Records

Researchers at DomainTools stumbled upon this new attack vector while investigating reports of images hidden within DNS records. Their focus shifted to TXT records – often used for domain verification – and what they found was alarming. These records, designed to store arbitrary text, proved surprisingly adept at concealing malware. By converting executable binaries into hexadecimal strings, attackers can encode entire malicious programs within seemingly innocuous DNS entries.

The team discovered hundreds of subdomains participating in a scheme to distribute a prank malware called Joke Screenmate. The malicious binary was broken into fragments, each hidden within a different subdomain’s TXT record. Crucially, the attackers leveraged generative AI to automate the creation of a script capable of reassembling these fragments, demonstrating a sophisticated and efficient attack chain.

Beyond Pranks: The Covenant Connection

The threat extends beyond simple pranks. DomainTools also uncovered an encoded PowerShell script embedded within DNS records, connecting to a command-and-control server associated with the Covenant framework. Covenant is a legitimate post-exploitation toolkit, but in the wrong hands, it becomes a powerful tool for attackers to gain control of compromised systems and deploy further payloads. This suggests a potential for far more damaging attacks than initially apparent.

Encryption: A Double-Edged Sword

The rise of DNS encryption protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) is intended to enhance privacy and security. However, as DomainTools engineer Ian Campbell points out, these technologies also create a blind spot for security teams. “Unless you’re one of those firms doing your own in-network DNS resolution, you can’t even tell what the request is, no less whether it’s normal or suspicious,” he stated. Essentially, encryption shields malicious DNS traffic from inspection, allowing attackers to smuggle payloads undetected.

The Implications of Encrypted DNS

This creates a significant challenge for network defenders. Traditional security tools rely on inspecting DNS traffic for anomalies. With encryption, that visibility is lost. This isn’t to say DoH and DoT are inherently bad – they offer legitimate privacy benefits – but organizations must understand the trade-offs and adapt their security strategies accordingly. The shift towards encrypted DNS is accelerating, meaning this vulnerability will only become more prevalent.

Future Trends: AI-Powered Malware and DNS Fragmentation

The use of generative AI in the DomainTools discovery is a harbinger of things to come. Expect to see attackers increasingly leveraging AI to automate malware creation, obfuscation, and distribution. The fragmentation technique – breaking malware into small pieces and hiding them across multiple DNS subdomains – is also likely to become more common, making detection even more difficult. Furthermore, attackers may explore other DNS record types beyond TXT records to further conceal their activities.

We’re also likely to see a rise in “DNS tunneling” – using DNS queries to exfiltrate data or establish covert communication channels. This technique, while not new, becomes more attractive as DNS traffic is increasingly encrypted and less scrutinized. The very foundation of how we navigate the internet is becoming a battleground for cybercriminals.

The evolving threat landscape demands a proactive approach. Organizations need to invest in advanced DNS monitoring solutions capable of analyzing traffic patterns and identifying anomalies, even within encrypted connections. Zero-trust network architectures, which assume no user or device is trustworthy by default, can also help mitigate the risk. The days of relying solely on traditional security perimeter defenses are over.

What steps is your organization taking to address the growing threat of DNS-based attacks? Share your insights and concerns in the comments below!