Skip to content
Joe edited this page Jun 13, 2019 · 13 revisions


Use the following steps to configure a domain for DNS C2 (and DNS Canaries), you can use any DNS provider you wish as long as you setup the records correctly. I recommend setting a TTL of ~5 minutes for each record.

  1. Create an A record for your pointing at your Sliver server (or redirector) IP address.
  2. Create an A record for an ns1 subdomain (i.e. that points to your Sliver server (or redirector) IP address.
  3. Create an NS record with an arbitrary subdomain, for example 1 (i.e. which is managed by
  4. You can now use as your DNS C2 domain e.g. generate --dns

The final configuration should look like for the domain DNS Configuration

IMPORTANT: Remember to disable Cloudflare's "cloud" when configuring these records, and to adjust the TTLs.

DNS Canaries

DNS Canaries are unique per-binary domains that are optionally inserted during the string obfuscation process. These domains are not actually used by the implant code and are deliberately not obfuscated so that they show up if someone runs strings on the implant. If these domains are ever resolved (and you have a dns listener running) you'll get an alert telling which specific file was discovered by the blue team.

Example generate command with canaries, make sure to use the FQDN:

sliver > generate --http --canary

Make sure you have a DNS listener running, and to use the FQDN:

sliver > dns --domains

[*] Starting DNS listener with parent domain(s) [] ...
[*] Successfully started job #1

You can view previously generated canaries with the canaries command.

You can’t perform that action at this time.