Intel Name: Tunneling-based scans for dns resolvers
Date of Scan: April 24, 2025
Impact: High
Summary: Since January 2025, several domains have been observed engaging in scanning activity leveraging DNS tunneling techniques. These domains target DNS resolvers hosted on public IPv4 and IPv6 addresses. To evade source IP-based access controls, the attacker spoofs the source IP to appear as an adjacent destination address. The domains’ nameservers are hosted on IPs 209.141.56[.]200 and 2605:6400:20:9d:2d8c:6f33:f4dbab02, with the FQDN encoding the target IP in hexadecimal format within the domain name.
