Peter Lowe

Based in UK




Likes on articles

About the author

Peter Lowe is the FIRST DNS Abuse Ambassador and co-chair of the DNS Abuse SIG. He has worked in or around internet protocols since joining the second internet cafe in the UK in 1995, co-hosts the Not So Critical Update podcast, and maintains one of the popular blocklists used by ad blockers and tracking prevention software. He likes travel and finding new ways to use things in ways they weren't originally intended.

Links & Social



Published tags

• Reply to Francisco Osornio on The Joy of TXT by Peter Lowe

“One more use for TXT records: exfiltrate/infiltrate data using DNS servers. TXT records depend on the TCP protocol, so all of DNS implementations must open the firewall TCP 53 port in order to TXT records to work properly. Since TCP is a connection-oriented protocol with bigger payloads, TXT records can be used to exfiltrate data from the internal networks to the outside or to receive new malware instructions or even to receive the ransomware keys the attackers use to lock the files in a computer or server. I like this reading!”

Hey Francisco. Yes, this is absolutely a common use - I think this may be what a lot of the fixed-length records are used for, although it's hard to tell. They're seemingly "random" characters, but probably some sort of base64-encoded text when properly reconstructed together. For some more unusual uses of DNS, you might like my presentation on "Bizarre and Unusual Uses of DNS": (It's quite long - but there's a 10-minute version of this I did at FOSDEM here:

Showing 1 comment(s)