DNSStager – Hide Payload in Malicious DNS

DNSStager Create a malicious DNS server to hide and transfer your payload using DNS

What is DNSStager? 

DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS. This tool will create a malicious DNS server that handles DNS requests to your domain and return your payload as a response to specific record requests such as AAAA or TXT records after splitting it into chunks and encoding the payload using different algorithms.

DNSStager can generate a custom agent written in C or GoLang that will resolve a sequence of domains, retrieve the payload, decode it and finally inject it into the memory based on any technique you want.

You can edit the code of DNSStager agent as you wish, and build it using your own custom execution techniques.

The main goal of using DNSStager is to help red teamers/pentesters to deliver their payloads in stealthy channel using DNS.

How does it work?

Based on your DNS resolution option, DNSStager will split your payload into chunks and save each chunk of the payload as a response for a subdomain.

For example, if you choose IPV6 as your option to retrieve the payload, the DNS response will be something like:

cloud-srv-1.test.mydnsserver.live. 300 IN AAAA 5648:31d2:6548:8b52:6048:8b52:1848:8b52

Where 5648:31d2:6548:8b52:6048:8b52:1848:8b52 is a part of your payload.

So, the agent will resolve some domains to retrieve the payload and then decode it and finally inject it into memory.

Currently, DNSStager only supports two records, AAAA and TXT. You can encode your payload using XOR for the AAAA record and by default it will be encoded as base64 if you choose TXT record.

DNSStager - Create Malicious DNS and Inject with Exploit Code

DNSStager key features:

DNSStager has some key features such as:

  • Hide and Resolve your payload in IPV6 records.
  • Hide and Resolve your payload in TXT records.
  • XOR encoder to encode your payload.
  • Base64 encoder to encode your payload (only for TXT records).
  • Pure agent written in C with the ability to customise it.
  • Pure agent written in GoLang with the ability to customise it.
  • The ability to use sleep between each DNS request.


  • GoLang version 1.16.3 and to make sure to install the following packages:
    • golang.org/x/sys
    • github.com/miekg/dns
  • Ming-w64


To get the latest version of DNSStager, make sure to clone it from this repo using the following command:

git clone https://github.com/mhaskar/DNSStager

Then you need to install the requirements using the following command:

pip3 install -r requirements.txt

And make sure to install all the previously mentioned requirements too.

After doing all that, you are ready to execute DNSStager as root to get the following:

sudo ./dnsstager.py


To start using DNSStager, make sure to setup your DNS settings first, you need to make your domain points to the DNSStager instance as NS record in order to handle all the DNS requests to your domain.

You can read this full article about how to setup and use DNSStager.

DNSStager - Hide Exploit Payload in Malicious DNS

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

14 − 11 =