title: DNS Server (T1583.002)
id: df00tech-t1583-002
status: experimental
description: "Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control. Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic. With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel. Real-world examples include Sea Turtle building adversary-in-the-middle DNS servers to capture credentials, Axiom acquiring dynamic DNS services for targeting operations, and HEXANE setting up custom DNS servers to send commands to compromised hosts via TXT records."
references:
  - https://attack.mitre.org/techniques/T1583/002/
  - https://df00tech.com/detections/T1583.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1583.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - VPN split-tunneling configurations where DNS queries are sent to remote-office DNS servers not yet in the authorized list — validate by correlating with VPN connection events
  - "Developer workstations running local DNS resolvers (dnsmasq, CoreDNS) for container or Kubernetes development — exclude by adding 127.0.0.53 and common container bridge IPs"
  - Endpoints connecting to guest Wi-Fi or non-corporate hotspots where DHCP assigns a third-party DNS server — correlate with network adapter SSID or location data
  - Security tools and vulnerability scanners performing DNS resolution against external resolvers for testing or enumeration purposes — allowlist by initiating process name and account
  - "Cloud-managed endpoints (MDM, Intune) that may temporarily receive DNS from cloud provider DHCP — add cloud provider DNS IPs (168.63.129.16 for Azure) to the authorized list"
level: high