The Joy of TXT
• 10 min read
TXT records are perhaps the most flexible type of DNS records available - but have you ever wondered how they’re really used? To see if we can answer this, the TXT records of 1 million domains are examined to see if there’s any rhyme or reason as to how people employ this quirky, open-ended record …
“One more use for TXT records: exfiltrate/infiltrate data using DNS servers. TXT records depend on the TCP protocol, so all of DNS implementations must open the firewall TCP 53 port in order to TXT records to work properly. Since TCP is a connection-oriented protocol with bigger payloads, TXT records can be used to exfiltrate data from the internal networks to the outside or to receive new malware instructions or even to receive the ransomware keys the attackers use to lock the files in a computer or server. I like this reading!”
Hey Francisco. Yes, this is absolutely a common use - I think this may be what a lot of the fixed-length records are used for, although it's hard to tell. They're seemingly "random" characters, but probably some sort of base64-encoded text when properly reconstructed together. For some more unusual uses of DNS, you might like my presentation on "Bizarre and Unusual Uses of DNS": https://www.youtube.com/watch?v=1uNxHVXBQb4 (It's quite long - but there's a 10-minute version of this I did at FOSDEM here: https://fosdem.org/2023/schedule/event/dns_bizarre_and_unusual_uses_of_dns/)
Showing 1 comment(s)