How to Detect Malware C2 with DNS Status Codes


DNS (Domain Name System) status codes, also known as DNS response codes or DNS error codes, are numerical codes that indicate the outcome of a DNS query. When a device, such as a web browser, tries to access a domain name (like, it sends a DNS query to a DNS server, and the server responds with a status code to indicate the result of the query.

Detecting malware command and control (C2) activity through DNS status codes involves monitoring DNS traffic for abnormal patterns and understanding the typical behavior associated with C2 communication.

DNS-specific status codes are often encountered when dealing with DNS queries and responses:

  1. DNS Response Code 0: No Error (NOERROR)
    • Indicates that the query was successful, and the requested data is in the answer section of the response.
  2. DNS Response Code 3: Name Error (NXDOMAIN)
    • Indicates that the domain name does not exist.
  3. DNS Response Code 5: Refused
    • Indicates that the DNS server refused to process the query.
  4. DNS Response Code 9: Server Failure (SERVFAIL)
    • Indicates a general failure in the DNS server.

Also Read: Threat Hunting using DNS logs – Soc Incident Response Procedure

DNS Response Code 0: No Error (NOERROR)

DNS Response Code 0, which corresponds to “No Error” (NOERROR), indicates that the DNS query was successful, and there is no error in the response. This response code is typically associated with a successful resolution of a domain name to an IP address.

However, in the context of malware, attackers may abuse the DNS system for malicious purposes. One example is the use of Domain Generation Algorithms (DGAs) by certain types of malware. DGAs are algorithms employed by malware to generate a large number of domain names dynamically. This can be used to establish communication with command and control servers, making it more challenging for security measures to block or track malicious activities.

Here’s a simplified example:

  1. Malware contacts a C&C server:
    • The malware generates a domain name using its DGA algorithm.
    • It queries the DNS to resolve this dynamically generated domain.
  2. DNS Response Code 0 (NOERROR):
    • If the DNS query is successful and the domain exists, the DNS server responds with the IP address associated with the generated domain.
  3. Malicious activity proceeds:
    • The malware establishes communication with the command and control server using the resolved IP address.

In this scenario, the DNS response code 0 (NOERROR) itself is not malicious; it just indicates a successful DNS resolution. However, the malicious activity is happening at a higher level, where the resolved domain is being used for unauthorized or malicious purposes.

To protect against such threats, security measures often involve monitoring DNS traffic for unusual patterns, detecting DGAs, and blocking or flagging suspicious domains. Security solutions may use heuristics, behavior analysis, and threat intelligence to identify and mitigate potential threats associated with DNS activities.

Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST

DNS Response Code 3: Name Error (NXDOMAIN)

DNS Response Code 3, which corresponds to “Name Error” (NXDOMAIN), indicates that the domain name queried does not exist. This response is a standard part of DNS and is not inherently malicious. However, in the context of malware, attackers may exploit the NXDOMAIN response to implement techniques such as DNS tunneling.

DNS Tunneling: One way malware can use NXDOMAIN responses is through DNS tunneling, a technique that allows communication between an infected system and a remote server by encoding data within DNS queries and responses. Here’s a simplified example:

  1. Malware sends data:
    • The malware encodes data into subdomains or labels of a non-existent domain.
    • It queries the DNS server for the non-existent domain.
  2. DNS Response Code 3 (NXDOMAIN):
    • The DNS server responds with an NXDOMAIN error because the queried domain does not exist.
  3. Data extraction:
    • The attacker controls a DNS server capable of decoding the data from the subdomains or labels of the non-existent domain.
  4. Malicious activity proceeds:
    • The malware establishes communication and transfers data with the remote server using DNS queries and responses.

In this scenario, the NXDOMAIN response is being abused to facilitate covert communication between the malware-infected system and the attacker’s server. Security measures often include monitoring DNS traffic for patterns associated with tunneling activities and implementing DNS filtering to block suspicious or malicious domains.

To defend against DNS tunneling and similar threats, security solutions may employ techniques such as anomaly detection, pattern analysis, and heuristics to identify unusual DNS behavior indicative of malicious activity. Additionally, DNS filtering and threat intelligence can help block access to known malicious domains.

DNS Response Code 5: Refused

DNS Response Code 5, which corresponds to “Refused,” indicates that the DNS server refuses to process the query. This response is typically legitimate and used by DNS servers to deny a request for various reasons, such as security policies, rate limiting, or misconfiguration. However, in the context of malware, attackers may exploit the “Refused” response to implement certain evasion techniques.

Here’s a simplified example of how malware might leverage a DNS Response Code 5:

  1. Malware sends a DNS query:
    • The malware queries a specific domain that may be associated with command and control servers or other malicious activities.
  2. DNS Response Code 5 (Refused):
    • The DNS server refuses to process the query, either because it recognizes the domain as malicious or due to security policies.
  3. Dynamic Domain Generation:
    • Malware may use dynamic domain generation algorithms (DGAs) to generate new domain names on the fly.
    • It continues to query for different domains until it finds one that is not refused by the DNS server.
  4. Malicious activity proceeds:
    • Once the malware finds a domain that is not refused, it may establish communication with a command and control server or carry out other malicious activities.

In this scenario, the “Refused” response is part of the DNS server’s defense mechanism, attempting to block access to known malicious domains. However, the malware may adapt by using DGAs to generate new, unpredictable domains until it finds one that is not refused.

To counter such threats, security measures often involve:

  • DNS Filtering: Blocking known malicious domains and filtering DNS requests based on threat intelligence.
  • Behavioral Analysis: Monitoring DNS traffic for patterns indicative of malicious activity, such as rapid, sequential queries.
  • Dynamic Threat Intelligence: Updating security measures with the latest threat intelligence to recognize and block emerging threats.

By combining these techniques, organizations can enhance their ability to detect and prevent malware that attempts to exploit DNS Response Code 5 and similar evasion tactics.

DNS Response Code 9: Server Failure (SERVFAIL)

DNS Response Code 9, also known as “Server Failure” (SERVFAIL), indicates that the DNS server encountered an internal error while processing the query. This response suggests that the DNS server is unable to fulfill the request due to an issue on the server side. While SERVFAIL is not inherently malicious, it can be leveraged by attackers to disrupt or complicate DNS-related activities.

Here’s a hypothetical example of how malware might exploit a DNS Response Code 9:

  1. Malware Initialization:
    • The malware is installed on a compromised system and attempts to establish communication with its command and control (C&C) server.
  2. DNS Query with Known Malicious Domain:
    • The malware generates a DNS query for a domain associated with its C&C server.
  3. DNS Response Code 9 (Server Failure):
    • The DNS server encounters an internal error while processing the query and responds with SERVFAIL.
  4. Adaptive Behavior:
    • The malware, designed to be resilient, interprets the server failure as a potential disruption or security measure.
    • It may dynamically adjust its tactics, such as employing different communication channels or modifying the timing of its activities.
  5. Alternate Communication Method:
    • The malware switches to an alternative communication method, such as using a different protocol or leveraging a backup C&C server with a different domain.
  6. Malicious Activity Continues:
    • The malware successfully establishes communication through an alternate method, allowing it to receive commands or exfiltrate data.

In this scenario, the malware responds to a DNS server failure by adapting its communication strategy to ensure persistence and avoid disruption. The specific actions taken by the malware would depend on its design and capabilities.

To defend against such threats, organizations need a comprehensive security strategy, including:

  • DNS Monitoring and Analysis: Continuously monitor DNS traffic for unusual patterns or unexpected errors.
  • Behavioral Analysis: Look for deviations in behavior that may indicate adaptive measures by malware.
  • Security Policies: Implement and enforce security policies to mitigate the impact of internal DNS server errors.
  • Threat Intelligence: Stay informed about emerging threats and tactics used by malware to adapt defenses accordingly.

By combining these measures, organizations can enhance their ability to detect and mitigate malware that seeks to exploit DNS server failures as part of its evasion strategy.

Happy C2 hunting !!!

Previous articleWho Needs Your Information? The Motives of Cyberattacks
Next articleAI-Powered Slot Machines: Future of Gambling
Anusthika Jeyashankar
Ambitious Blue Teamer; Enthused Security Analyst


Please enter your comment!
Please enter your name here