The sub-techniques beta is now live! Read the release blog post for more info.


DNS Calc is a technique in which the octets of an IP address are used to calculate the port for command and control servers from an initial DNS request. [1] [2] [3]

ID: T1324
Tactic: Adversary Opsec
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: There are not currently available tools that provide the ability to conduct this calculation to detect this type of activity.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: This technique assists the adversary in bypassing egress filtering designed to prevent unauthorized communication. It has been used by APT12, but not otherwise widely reported. Some botnets are hardcoded to be able to use this technique.


  1. Adam Meyers. (2013, March 29). Whois Numbered Panda. Retrieved March 6, 2017.
  2. Ned Moran, Mike Oppenheim. (2014, September 3). Darwin’s Favorite APT Group. Retrieved March 6, 2017.
  1. nex. (2013, August 26). Upcoming G20 Summit Fuels Espionage Operations. Retrieved March 6, 2017.