--- title: "Can DNS Be Used to Hack AI Chatbots?" canonical: "https://domainsure.com/articles/can-dns-be-used-to-hack-ai-chatbots/" published: "2025-07-21T16:06:38+00:00" modified: "2025-07-22T13:17:46+00:00" author: "markjr" categories: - "articles" tags: site_name: "DomainSure Risk Intelligence Corp." language: "en-US" generator: "easyPress Markdown" --- ![](https://domainsure.com/wp-content/uploads/2025/07/DNS-Always-Has-Been-owned.jpg) ------------------------------------------------------------------------------------ Short answer: Only If You’ve Already Been Hacked ------------------------------------------------ Fascinating game of “telephone” over the past week which started out as some research on how hackers could embed images into DNS TXT records, and wound up proclaiming, > *“Newly published research shows that **the domain name system**—a fundamental part of the web—**can be exploited to hide malicious code and prompt injection attacks against chatbots**“* Oh dear. I first came across this from the other end via [the Wired](https://www.wired.com/story/dns-records-hidden-malicious-code/) piece, and worked my way backwards, though [Ars Technica](https://arstechnica.com/security/2025/07/hackers-exploit-a-blind-spot-by-hiding-malware-inside-dns-records/) (who Wired reposted it from) – which cites a [recent Domaintools research](https://dti.domaintools.com/malware-in-dns/) that referenced [the original security report](https://asherfalcon.com/blog/posts/2). DNS exfiltration has been around a long time. That’s when intruders who are *already inside your system* use DNS lookups to copy sensitive data from inside your firewall *out*. It’s a method that can sometimes succeed in avoiding detection from cybersecurity systems monitoring for unauthorized file transfers. This is the flipside, so DNS *infiltration,* but the Ars Technica (and WIRED) tellings of this angle glosses over the most important part: > “An ***attacker who managed to get a toehold into a protected network*** could then retrieve each chunk using an innocuous-looking series of DNS requests” The site has to *already* be *compromised.* Unfortunately the framing is such that it makes it appear (at least to me) as though DNS – which is the dialtone of the internet and every client and device must use, all the time, provides a unique attack vector against chatbots. That is not the case – in fact the article never really connects *how* or *if* any chatbots have actually been compromised via DNS infiltrated data – just that Domaintools researchers have found TXT records encoding strings that can be used in prompt injection attacks. Domaintools is a passive DNS analytics company that looks at this stuff all day long, across millions of domain names – I can assure you, they find *all kinds of things* (it would not surprise me one iota to find somebody, somewhere encoded a Bitcoin seed phrase into a DNS TXT record, thinking that would be a clever place to stash it). What DNS does provide via this vector is a way to try to surreptitiously move data into or out of a network – what it does *not* do is provide some magical way to compromise a system that isn’t already vulnerable to other vectors. Said differently, DNS isn’t the vulnerability – it’s within a very narrow context a medium. It reminds me of the [*Sitting Duck* “vulnerability” scare](https://domainsure.com/news/sitting-duck-dns-flaw-is-a-red-herring/) (that about a hundred people forwarded to me) that framed DNS has somehow opening some kind of security hole when in fact the entire issue was just bad management and registrar complacency. *Running a Bitcoin, FinTech or other mission critical domain name? [Get our white paper](https://whitepapers.domainsure.zone/bitcoin-dns) on what the **real DNS based vulnerabilities are –** [Download Now »](https://whitepapers.domainsure.zone/bitcoin-dns)*