A proof-of-concept keylogger that demonstrates DNS-based data exfiltration by encoding keystrokes into Base32 and transmitting them through DNS subdomains to a custom DNS server.
⚠️ Disclaimer: This project was created strictly for educational and research purpose. It demonstrates how data exfiltration can occur using DNS queries. Do not deploy or use this software on systems without explicit permission. Unauthorized monitoring of user input may be illegal in many jusdictions.
If you found this project interesting, consider ⭐ starring the repository.
This project demonstrates a proof-of-concept keylogger that exfiltrates captured keystrokes through DNS queries
Instead of sending data via traditional HTTP requests or sockets, the captured keystrokes are:
- Collected locally by a Python keylogging script > logger.py
- Encoded using Base32
- Sent as part of DNS subdomain queries
- Received by a custom DNS server using dnslib > server.py
- Decoded and stored in a text file
The goal of this project is to demonstrate how covert data exfiltration channels can be implemented using DNS, which is often allowed through firewalls and security controls.
┌───────────────┐
│ Victim Host │
│ │
│ Keylogger │
│ │
└───────┬───────┘
│
│
DNS Query
▼
encoded-data.domain.com
│
▼
┌────────────────────┐
│ Custom DNS Server │
│ │
│ • Extract label │
│ • Base32 decode │
│ • Save keystrokes │
└─────────┬──────────┘
│
▼
logs.txt
dns-keylogger/
│
├── logger.py
├── server.py
├── logs.txt │
├── assets/
│
└── demo.gif
│
└── README.md
DNS labels have strict character limitations.
Allowed characters:
- a-z
- 0-9
Base32 ensures the encoded data remains DNS-safe.
Example:
hello -> NBSWY3DP
- Data Chunking | split long messages into multiple DNS queries
- Encryption | encrypt keystrokes before encoding
- Session Tracking | track multiple clients
- Packet Camouflage | mix real DNS lookups with exfiltration traffic.