304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

DNS Exfiltration with Dnsmasq; easy as 1, 2, 3!

I realized that I needed a server for DNS exfiltration, so I finally set one up.

For those of unfamiliar with the topic, DNS Exfiltration is handy for blind SQL injection, bypassing captive portals, and general network exfiltration.

DNS Record

First, I setup a name server for a subdomain on my host. This would allow my host to act as the authoritative name server for any requests to that subdomain. For example, in this case, would be resolved by

DNS Exfiltration - Nameserver

Dnsmasq Installation

Once I completed the record, and after it propagated out, I installed Dnsmasq on my public server.

[email protected]:~# apt-get install Dnsmasq

Dnsmasq Configuration

After I finished installing Dnsmasq, I configured it to listen on my public IP, and return that same IP for any queries made to the server. This configuration would allow me to make a request to my newly configured name server, and get back a proper IP address. Additionally, I configured logging so that I could actually get the data out.

[email protected]:~# tail -5 /etc/dnsmasq.conf



Finally, after I had everything setup and configured, it was time to test the server.

To do so, I pinged a fake subdomain, and got a proper response back.

DNS Exfiltration - Ping

Once I completed the ping, I checked the Dnsmasq logs to make sure that the server had logged the “data”.

[email protected]:~# tail -f /var/log/dnsmasq.log
Feb 28 20:24:39 dnsmasq[5606]: Ignoring query from non-local network
Feb 28 20:25:48 dnsmasq[5458]: no servers found in /var/run/dnsmasq/resolv.conf, will retry
Feb 28 20:25:48 dnsmasq[5458]: exiting on receipt of SIGTERM
Feb 28 20:25:49 dnsmasq[5744]: started, version 2.75 cachesize 150
Feb 28 20:25:49 dnsmasq[5744]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
Feb 28 20:25:49 dnsmasq[5744]: no servers found in /var/run/dnsmasq/resolv.conf, will retry
Feb 28 20:25:49 dnsmasq[5744]: read /etc/hosts - 8 addresses
Feb 28 20:25:49 dnsmasq[5744]: reading /var/run/dnsmasq/resolv.conf
Feb 28 20:25:49 dnsmasq[5744]: using nameserver
Feb 28 20:25:49 dnsmasq[5744]: using nameserver
Feb 28 20:27:40 dnsmasq[5744]: query[A] from
Feb 28 20:27:40 dnsmasq[5744]: config is


This was far easier to setup than I had previously imagined, and now I’m looking to take it even further.

Some of my next steps will be to add a service that will allow me to easily get out data. This will parse the log files, get the extracted data, and put them in a dashboard of sorts for me to easily access it.

Also, note that my original dnsmasq.conf file was slightly broken, and prevented my server from making any DNS requests of its own. I realized this once I was unable to hit any of my servers for an apt-get update/upgrade :P. The updated file (with DNS forwarding to non exfil related requests) is below.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.