DNS Command & Control: Detecting Malware Traffic

Big thank you to Infoblox for sponsoring this video. For more information on Infoblox have a look at their website: https://www.infoblox.com/ // Get Wireshark Certified // Check out the official training course 📘 GET TRAINING: https://courses.davidbombal.com/l/pdp/wireshark-certified-analyst-wca-the-complete-hands-on-course?coupon_code=WIRESHARKHACK Use code "WiresharkHack" to get a $50 discount 🔗 Learn more: https://wireshark.org/certifications In this deep dive, David Bombal is joined by Wireshark expert Chris Greer to strip down the most critical protocol on the internet: DNS. We move beyond the theory to show you exactly what DNS looks like "on the wire." Chris reveals why a staggering 92% of malware uses DNS for Command and Control (C2) and how you can use packet analysis to detect these breaches before they spread. We also debunk common myths about DNS only using UDP, explore the "Librarian" analogy for Root Servers, and walk through a live capture of a request to a real website. What You Will Learn: •Malware Detection: Why 92% of malware relies on DNS and how to spot C2 traffic. • Packet Anatomy: A line-by-line breakdown of DNS headers, Transaction IDs, and Flags in Wireshark. • The TCP Myth: Why blocking TCP port 53 on your firewall can break yournetwork (and why DNS needs it). • Troubleshooting: How to measure DNS latency (response time) to pinpoint slow network performance. • Recursive Lookups: Understanding the chain from your PC to the Root Servers and back. // Chris Greer’s SOCIAL // YouTube: https://www.youtube.com/chrisgreer Official WCA training: https://courses.davidbombal.com/l/pdp/wireshark-certified-analyst-wca-the-complete-hands-on-course?coupon_code=WIRESHARKHACK Use code "WiresharkHack" to get a $50 discount LinkedIn: https://www.linkedin.com/in/cgreer/ Website: https://packetpioneer.com/ // Download Wireshark pcaps from here // https://github.com/packetpioneer/youtube/blob/main/dns_bombalbasic.pcapng https://github.com/packetpioneer/youtube/blob/main/dns_bombalfulllookup.pcapng https://www.wireshark.org/certifications/ https://packetschool.teachable.com/ // WCA Course REFERENCE// Official WCA training: https://courses.davidbombal.com/l/pdp/wireshark-certified-analyst-wca-the-complete-hands-on-course?coupon_code=WIRESHARKHACK Use code "WiresharkHack" to get a $50 discount // Chris’ DNS Series on YouTube ‘’ https://youtu.be/fRRR0sU0BnY // Link to YouTube VIDEO: https://youtu.be/3FPaTvCJojQ // David's SOCIAL // Discord: https://discord.com/invite/usKSyzb X: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/@davidbombal Spotify: https://open.spotify.com/show/3f6k6gERfuriI96efWWLQQ SoundCloud: https://soundcloud.com/davidbombal Apple Podcast: https://podcasts.apple.com/us/podcast/david-bombal/id1466865532 // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: [email protected] // MENU // 0:00 - Coming up 0:52 - More Wireshark! // It's always DNS 02:45 - Infoblox sponsored segment 03:37 - DNS basics in Wireshark // How DNS works 06:52 - Analysing the DNS packet capture 08:32 - Destination address explained 10:09 - Transaction ID explained 11:13 - Flags explained 13:26 - Questions, Answer RRs & Additional RRs explained 15:39 - Additional records explained 17:07 - Response walkthrough 19:24 - Real DNS packet capture walkthrough 21:17 - Quick Wireshark tip 22:32 - Walkthrough continued 25:55 - Going deeper // How DNS resolver works 32:41 - More on Chris Greer YouTube channel and more to come 35:36 - Conclusion Please note that links listed may be affiliate links and provide me with a small percentage /kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #dns #infoblox #wireshark