This is somewhat an advanced topic for a first post, but it is something recent for me and relevant for any level of cybersecurity. It is also something I struggled with immensely, despite its apparent simplicity.
This post covers the method to configuring DNS in a way that DNS requests will be forwarded to a server you control, allowing you to see the URL that was requested by some other server. This allows data to be hidden in the host section of the URL instead of an actual hostname. This is useful for exfiltrating data from an environment, because it is very often that DNS is permitted outbound even with very strict security rules.
This post will not cover the step of setting up your cloud VPS (virtual private server)– that generally can be done in a couple clicks on your cloud provider of choice and is well-documented elsewhere.
You will also need a domain name purchased from a name registrar to work with. I used Namecheap.
First thing’s first. You have a server. Doesn’t matter what is on it, but we want the internet to be able to find it. So first we need to associate a name to the IP address of that server.
Go to your dashboard in Namecheap and click on manage next to the domain name you want to use.
Click on Advanced DNS, then add the following A record. In this example, ns is the hostname (name of one specific server or resource with an IP) followed by the rest of the domain name
ns.potato.monster. Under the “value” field, set the IP address of your VPS.
Next, we want to configure an NS record. For our purposes, we care about two fields in the NS record. The host field specifies a subdomain that is to have its DNS resolution handled by the server specified in the “value” field. In the value field, put the name of your DNS server, in my case
In the “host” field, you can put whatever subdomain you want. For example, if I put “fried”, any DNS request headed for a host in
fried.potato.monster, will be referred to
ns.potato.monster. So if you try to ping
tasty.fried.potato.monster, Namecheap’s DNS server will hand off the request for
ns.potato.monster to figure out.
That should be all the DNS setup necessary. Now I will ssh into my server and listen on port 53 using tcpdump. We specify
-X to get a hex and ascii output for the data contained in the packets we pick up.
sudo tcpdump -X 'udp dst port 53'
With the listener up, I will try pinging
knockknock.fried.potato.monster and see if we get anything.
You should get a DNS request (but you won’t resolve it because you are running tcpdump, not an actual DNS server). If not, check your firewall, recheck your DNS rules, and see if you can ping your nameserver directly.
In the future, we will explore some concrete uses of this configuration to actually exfiltrate data. Something I have wanted to test is the tool called Iodine that allows you to browse the web with just the data returned in the subdomain URL.
We can also look at setting up a DNS server for the root of your domain, instead of a subdomain like