DNS implant does not work

[thehackerish]

Describe the bug I run a dns implant on a windows box, but I don't see any DNS traffic using wireshark. I listened on different network interfaces and I see nothing. My DNS records are set up correctly and I can successfully see DNS requests coming to my redirector using dig.

To Reproduce Steps to reproduce the behavior:

1. generate a DNS implant generate beacon -n redirector.domain.com. -J 3 -S 5 -l
2. Run the generated exe on a windows x64 box
3. Inspect DNS queries in wireshark
4. You should see no DNS traffic

Expected behavior I should see DNS traffic in wireshark and logs on my DNS redirector.

Screenshots N/A.

Desktop (please complete the following information):

• OS: Sliver running on a Ubuntu 64bit, Implant runs on a Windows 10 x64
• Sliver Version: v1.5.21

Additional context N/A

[moloch--]

Please confirm you've configured your DNS records correctly: https://github.com/BishopFox/sliver/wiki/DNS-C2

[thehackerish]

Hi @moloch-- , I confirm that my DNS records are correctly configured, as explained in my original post. For more info, I have a NS record which I set to ns1.mydomain.com that points to update.mydomain.com, for which I also set up an A record pointing to my DNS redirector. The implant is configured to call back to update.mydomain.com. I successfully get a DNS call in my redirector logs when I use dig blah.update.mydomain.com, but nothing from the implant.

[moloch--]

Try building an implant with --debug it should provide useful output.

[thehackerish]

Hi @moloch-- thanks for the tip, Here is the screenshot of the implant.

It seems that it is trying to resolve the FQDN, which returns a timeout. I exited sliver, and used coredns to troubleshoot with dig. And I see traffic coming to the server, for anything under update.mydomain.com as seen in the screenshot below. However, running the implant doesn't generate any logs.