Threat actors may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, Threat actors may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, Threat actors may opt to configure and run their own DNS servers in support of operations.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.