accent 1 accent 2
CPE Webinar Replay

DNS Attack Demo


Watch our threat researcher, Masha Garmiza, stand up a real production DNS server on the Internet and show how she can use it to control a victim's machine and silently steal data using DNS queries alone.


Watch Now

About this webinar

DNS is an amazing channel for attackers. Port 53 is almost always wide open and DNS logs are extremely noisy and hard to analyze. APTs like OilRig have had a field day using DNS to silently control victim machines without being detected.

Let's ditch the slides and hop right into a live DNS server. We'll demo a few DNS-based attacks, crack open Wireshark to analyze the traffic, and discuss mitigation techniques and the DNS-based detections in Varonis.

Here's an overview of the attack:
  • Stand up a plain old DNS server
  • Register a domain name
  • Point our domain's DNS records to our (malicious) server
  • Infect a victim with a tiny piece of malware that connects to our DNS server
  • Issue commands from our DNS server back to the victim machine via DNS responses alone
  • Find a document to steal, chop it up, send it out via outbound DNS queries
headshot_masha garmiza
Masha Garmiza Security Researcher, Varonis
David Gibson
David Gibson CMO, Varonis
Rob Sobers
Rob Sobers VP Marketing, Varonis

“The level of governance and insight provided by Varonis empowered our team to detect and respond to abnormalities as well as user activity and misconfigurations.”

Al Faella, CTO, Prospect Capital Management

Want to see Varonis in action?