MITRE ATT&CK Technique
Resource Development T1583.002
Description

Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)

Supported Platforms
PRE
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-10-01T00:40:45.279Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may set up their own Domain Name System (DNS) '
                'servers that can be used during targeting. During '
                'post-compromise activity, adversaries may utilize DNS traffic '
                'for various tasks, including for Command and Control (ex: '
                '[Application Layer '
                'Protocol](https://attack.mitre.org/techniques/T1071)). '
                'Instead of hijacking existing DNS servers, adversaries may '
                'opt to configure and run their own DNS servers in support of '
                'operations.\n'
                '\n'
                'By running their own DNS servers, adversaries can have more '
                'control over how they administer server-side DNS C2 traffic '
                '([DNS](https://attack.mitre.org/techniques/T1071/004)). With '
                'control over a DNS server, adversaries can configure DNS '
                'applications to provide conditional responses to malware and, '
                'generally, have more flexibility in the structure of the '
                'DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)',
 'external_references': [{'external_id': 'T1583.002',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1583/002'},
                         {'description': 'Hinchliffe, A. (2019, March 15). DNS '
                                         'Tunneling: how DNS can be (ab)used '
                                         'by malicious actors. Retrieved '
                                         'October 3, 2020.',
                          'source_name': 'Unit42 DNS Mar 2019',
                          'url': 'https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/'}],
 'id': 'attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'resource-development'}],
 'modified': '2025-10-24T17:48:27.611Z',
 'name': 'DNS Server',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['PRE'],
 'x_mitre_version': '1.0'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (3)
HEXANE
High
Sea Turtle
High
Axiom
High
Back to TTPs
Dashboard About