DNS ServFail for TXT request

[frantz45]

Hello,

I've an issue with the DNS protocol. On my lab I've a workstation (192.168.128.2), a bind DNS server (internal IP 192.168.128.10, external IP 185.217.171.10) and the Sliver server (185.217.171.35). When I execute the DNS implant on the workstation, DNS requests are forwarded to the DNS server which forwards them to Sliver. At the begining of the connection I can see A requests which seems to work fine, but then the DNS Server rejects the TXT answer.

On the below screenshot you can see a tcpdump capture on Sliver (I think there are multiple identical TXT requests because it fails):

On the below screenshot you can see the error on the DNS server:

On the below screenshot you can see the DNS server replying ServFail to the workstation:

Do you have any idea ?

[frantz45]

It seems related to DNS forwarding. I've succeeded twice to make it work by modifying "forwarders" et "forward only" but now it doesn't. It's strange, with Cobalt Strike DNS beacon I don't have any issue, but with Sliver I often encounter the "unexpected end of input" error.

I add some debug logs of the Sliver server (it stops at recv: 160 of 264, I never get 264 of 264):

[frantz45]

I did a new test: I configure the workstation to use the Sliver server as the only DNS server (to avoid issues on my intermediate DNS server), and it stops at the same TXT request. Maybe I'm missing something