Hackers exploit a blind spot by hiding malware inside DNS records

[Parkinsond]

Content source

https://arstechnica.com/security/2025/07/hackers-exploit-a-blind-spot-by-hiding-malware-inside-dns-records/

Hackers are stashing malware in a place that’s largely out of the reach of most defenses—inside domain name system (DNS) records that map domain names to their corresponding numerical IP addresses.

The practice allows malicious scripts and early-stage malware to fetch binary files without having to download them from suspicious sites or attach them to emails, where they frequently get quarantined by antivirus software. That’s because traffic for DNS lookups often goes largely unmonitored by many security tools. Whereas web and email traffic is often closely scrutinized, DNS traffic largely represents a blind spot for such defenses.

An attacker who managed to get a toehold into a protected network could then retrieve each chunk using an innocuous-looking series of DNS requests, reassembling them, and then converting them back into binary format. The technique allows the malware to be retrieved through traffic that can be hard to closely monitor. As encrypted forms of IP lookups—known as DOH (DNS over HTTPS) and DOT (DNS over TLS)—gain adoption, the difficulty will likely grow.

 

[Trident]

Most of the security systems offer some sort of DNS protection, to host a malware script in DNS system, this would require unusually long and random domains. If users/admins are blocking new domains (for example through ControlD, NextDNS or solutions for businesses), attackers will need to wait for these domains to gain the necessary reputation.

In addition, solutions such as the AVG, Avast, NortonLifeLock Web Shield, Check Point AntiBot, McAfee GTI and so on, look at the communication patterns. And last but not least, this requires malicious code already running to retrieve (load) the additional malicious code.

So the picture is not as apocalyptic as it looks, attackers have been doing it for years.

 

[Parkinsond]

Most of the security systems offer some sort of DNS protection, to host a malware script in DNS system, this would require unusually long and random domains. If users/admins are blocking new domains (for example through ControlD, NextDNS or solutions for businesses), attackers will need to wait for these domains to gain the necessary reputation.

In addition, solutions such as the AVG, Avast, NortonLifeLock Web Shield, Check Point AntiBot, McAfee GTI and so on, look at the communication patterns. And last but not least, this requires malicious code already running to retrieve (load) the additional malicious code.

So the picture is not as apocalyptic as it looks, attackers have been doing it for years.

Thank your for your kind explanation.
I was just going to revert back from DoH to legacy DNS before reading.