#551: DNS Command & Control: Detecting Malware Traffic

Feb 23, 2026

Chris Greer, Wireshark expert and packet analysis educator, walks through DNS traffic as seen on the wire. He explains why 92% of malware uses DNS for command and control. Short demos break down DNS packet anatomy, the TCP vs UDP debate, recursive lookups, and a live capture of a real site lookup.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Why DNS Is A Malware Superhighway

DNS is heavily leveraged by malware for command-and-control, with Infoblox reporting 92% of malware using DNS for C2.
Chris Greer highlights this as both a detection opportunity and a frequent cause of outages tied to breaches.

ADVICE

Inspect DNS Headers End To End

Capture DNS packets to inspect the IP, UDP, and DNS headers: check source/destination, client ephemeral port, and UDP port 53.
Chris inspects Ethernet/IP, UDP (8 bytes) and points out the client ephemeral port and UDP length.

ADVICE

Filter DNS Queries Fast In Wireshark

Use Wireshark to filter DNS queries by the query/response flag to view only client requests.
Chris drags the single-bit QR flag into the display filter to isolate queries quickly during packet analysis.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Big thank you to Infoblox for sponsoring this video. For more information on Infoblox have a look at their website: https://www.infoblox.com/ // Get Wireshark Certified // Check out the official training course 📘 GET TRAINING: https://courses.davidbombal.com/l/pdp... Use code "WiresharkHack" to get a $50 discount 🔗 Learn more: https://wireshark.org/certifications In this deep dive, David Bombal is joined by Wireshark expert Chris Greer to strip down the most critical protocol on the internet: DNS. We move beyond the theory to show you exactly what DNS looks like "on the wire." Chris reveals why a staggering 92% of malware uses DNS for Command and Control (C2) and how you can use packet analysis to detect these breaches before they spread. We also debunk common myths about DNS only using UDP, explore the "Librarian" analogy for Root Servers, and walk through a live capture of a request to a real website. What You Will Learn: •Malware Detection: Why 92% of malware relies on DNS and how to spot C2 traffic. • Packet Anatomy: A line-by-line breakdown of DNS headers, Transaction IDs, and Flags in Wireshark. • The TCP Myth: Why blocking TCP port 53 on your firewall can break yournetwork (and why DNS needs it). • Troubleshooting: How to measure DNS latency (response time) to pinpoint slow network performance. • Recursive Lookups: Understanding the chain from your PC to the Root Servers and back. // Chris Greer’s SOCIAL // YouTube: / chrisgreer Official WCA training: https://courses.davidbombal.com/l/pdp... Use code "WiresharkHack" to get a $50 discount LinkedIn: / cgreer Website: https://packetpioneer.com/ // Download Wireshark pcaps from here // https://github.com/packetpioneer/yout... https://github.com/packetpioneer/yout... https://www.wireshark.org/certificati... https://packetschool.teachable.com/ // WCA Course REFERENCE// Official WCA training: https://courses.davidbombal.com/l/pdp... Use code "WiresharkHack" to get a $50 discount // Chris’ DNS Series on YouTube ‘’ • Your First DNS Lookup—Captured and Explained // Link to YouTube VIDEO: • Video // David's SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: www.twitter.com/davidbombal Instagram: www.instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: www.facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal YouTube: / @davidbombal Spotify: open.spotify.com/show/3f6k6gE... SoundCloud: / davidbombal Apple Podcast: podcasts.apple.com/us/podcast... // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com // MENU // 0:00 - Coming up 0:52 - More Wireshark! // It's always DNS 02:45 - Infoblox sponsored segment 03:37 - DNS basics in Wireshark // How DNS works 06:52 - Analysing the DNS packet capture 08:32 - Destination address explained 10:09 - Transaction ID explained 11:13 - Flags explained 13:26 - Questions, Answer RRs & Additional RRs explained 15:39 - Additional records explained 17:07 - Response walkthrough 19:24 - Real DNS packet capture walkthrough 21:17 - Quick Wireshark tip 22:32 - Walkthrough continued 25:55 - Going deeper // How DNS resolver works 32:41 - More on Chris Greer YouTube channel and more to come 35:36 - Conclusion Please note that links listed may be affiliate links and provide me with a small percentage /kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #dns #infoblox #wireshark