DNS, C2, and beaconing explained: the 'phone-home' traffic most SMB tools never watch

Every breach has a moment after the attacker gets in but before they do damage — when their malware quietly reaches back out to them for instructions. That conversation is called command-and-control (C2), and a surprising amount of it travels over the one protocol almost no SMB monitors: DNS.

What is command-and-control (C2)?

After malware lands on a machine, it rarely acts alone. It “phones home” to an attacker-controlled server to receive commands, download additional payloads, and exfiltrate data. That channel is C2. Detecting it is one of the highest-value things a defender can do, because it catches an intrusion in progress — after the initial foothold but before ransomware deploys.

And the window is real. Huntress measured an average time-to-ransom of ~17 hours from initial foothold, with about 18 malicious actions before encryption. C2 traffic is happening during those hours. The question is whether anyone is watching.

What is beaconing?

Malware doesn’t stay connected to its C2 server continuously — that would be obvious. Instead it beacons: it checks in on a regular interval (every 30 seconds, every 5 minutes, every hour), often with deliberate jitter to look less robotic. Each beacon is a small, repetitive callout. To a human it’s invisible; to the right detector, the rhythm itself is the giveaway.

Why DNS is the attacker’s favorite tunnel

DNS is the internet’s phone book — it resolves names like centeye.io into IP addresses. Almost every network allows DNS traffic outbound by default, because blocking it breaks everything. Attackers exploit that trust in two ways:

• DNS-based C2 — encoding commands and beacons inside DNS queries, so the malware “talks” to its operator without ever opening an obviously suspicious connection.
• DNS exfiltration — smuggling stolen data out a few bytes at a time inside the subdomain field of DNS queries, where most tools never look.

Related techniques like Domain Generation Algorithms (DGAs) have malware compute thousands of random-looking domains so defenders can’t simply block one address. (For definitions of DGA, C2, and exfiltration, see our glossary.)

Why this is an SMB blind spot

Endpoint antivirus watches files. Email security watches inboxes. Neither watches the steady rhythm of DNS lookups leaving your network. Mandiant’s M-Trends 2025 found that in 34% of intrusions the initial vector could not even be determined — largely because of telemetry gaps most acute below 1,000 employees. C2 in DNS is exactly the kind of signal those companies are missing.

How DNS monitoring catches it

Centeye’s DNS / C2 & Exfil surface monitors cloud DNS for the patterns that betray an active intrusion: beaconing regularity, suspiciously long or high-entropy subdomains (a sign of tunneling or DGA), and known-bad resolution targets. When it spots a phone-home, Kavach correlates it with endpoint and identity signals — a beacon plus a fresh suspicious login plus a new process is one incident, not three — and can take reversible response actions across resolvers.

That’s the difference between watching DNS and watching everything: a C2 beacon stops being an isolated curiosity and becomes the thread that unravels the whole attack.

Curious how the surfaces fit together? See the product overview. Ready to watch DNS on your network? Get a demo.

Figures cited from the Huntress 2025 Cyber Threat Report and Mandiant M-Trends 2025.