DNS-DOH-C2Command and Control

DNS-over-HTTPS C2 Channel

Tunnel C2 over DoH to a CDN-fronted resolver — bypasses many egress filters that allow HTTPS to common hosts but not raw UDP/53.

§ Where this technique fits

DNS-DOH-C2 is catalogued under the Command and Control tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

DNS tunnel exfiltration in restricted egress
Outbound web is filtered, but DNS still resolves to the corporate forwarder. Use iodine / dnscat2 to tunnel a shell + exfil over DNS queries to an attacker-controlled authoritative server.
step 4 / 5

§ What commonly comes next

01
Exfiltration Over C2 Channel
T1041 · Exfiltration
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

DNS tunnel exfiltration in restricted egress

§ What commonly comes next