Throughout 2025 and into 2026, security researchers have documented a significant rise in attackers using DNS TXT records as a covert malware delivery and command-and-control (C2) channel. It’s a massive blind spot for most organizations.
How DNS Tunneling Works
The technique is straightforward:
- Attackers convert malware payloads into hexadecimal chunks.
- Each chunk is stored as a DNS TXT record on attacker-controlled subdomains (e.g.,
a.evil.com,b.evil.com). - A small loader on the target machine queries these DNS records sequentially.
- The loader reassembles the chunks and executes the payload.
For C2 operations, the same technique works in reverse — the malware encodes stolen data into DNS queries, and receives commands via DNS responses.
The Numbers
- 7.6 million new threat-related domains discovered between August and November 2025 — a 20% increase over the prior quarter.
- 26% of detected DNS tunneling activity is Cobalt Strike, using hex-encoded queries and TXT record C2.
- 65% of unique threat domains are newly registered, suggesting widespread use of short-lived, algorithmically generated infrastructure.
Why Traditional Security Misses It
Firewalls, antivirus, and email gateways rarely inspect DNS traffic deeply. A DNS query to a7x9f2.evil.com looks like any other DNS request. The data is hidden in plain sight.
Defense Recommendations
- Deploy DNS-layer security — Use a DNS service that inspects query patterns and blocks suspicious domains.
- Monitor for anomalies — High volumes of TXT queries to a single domain, unusually long subdomain labels, or high entropy in domain names are red flags.
- Block known-bad domains — Threat intelligence feeds focused on DNS are essential.
- Log DNS queries — You can’t detect what you don’t see. A managed DNS provider can handle logging and alerting for you.
Sources: Infoblox DNS Threat Report, Help Net Security