216.73.217.22

T1583.002: DNS Server

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:37 · Modified 27/03/2026 01:08

Essential information

MITRE technique ID
T1583.002
Confidence
100/100
Revoked
No
Published
16/12/2025 19:37
Modified
27/03/2026 01:08
Author / Source
The MITRE Corporation

Aliases

T1583.002

Platforms

PRE

Description

Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)

Kill chain phases

Kill chainPhase
mitre-attack resource-development

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.