1019: Dns transport support

[KaliPatriot]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR adds a DNS redirector to tavern and a DNS transport to imix to enable DNS beacon communication. I have also updated some of the documentation around developing and using new transport methods.

Which issue(s) this PR fixes:

Fixes #1019

[hulto]

Were you able to run this end to end over public DNS?

[KaliPatriot]

Were you able to run this end to end over public DNS?

Good question, let me test this

[hulto]

Got some of the way through the rust.
Can you explain the conversations concept?

[hulto]

Usually retries are handled in the agent code not the transport.
Centralizing the logic in the agent makes things like run time reconfiguration easier.

[KaliPatriot]

I agree with this for retrying to entire transport conversation, however I do think given that dns has to have chunked conversations, its good to keep this retry logic. Other wise a single missed chunk will cause a whole conversation to fail. This increased the overall stability a lot more for the protocol.

[hulto]

Took another pass - still have a lot to review.

[hulto]

Also have you seen sliver's implementation?
https://github.com/BishopFox/sliver/blob/master/implant/sliver/transports/dnsclient/dnsclient.go
Similarly they use grpc for comms tho they have a meta proto called envelope that embeds the message as opposed to our use of codecs.

[hulto]

Lemme know when you're ready for another review.

Overall I think two big changes:

• When possible remove failover and retry logic allow the agent to handle those
• Look into grpc built-in functionality to replace some of the manual chunking and retry logic.

[github-actions]

Summary

Tests 📝	Passed ✅	Failed ❌	Skipped ⏭️	Other ❓	Flaky 🍂	Duration ⏱️
7518    ±0	7518    ±0	0    ±0	0    ±0	0    ±0	0    ±0	1ms    ±0

Previous Results

Build 🏗️	Result 🧪	Tests 📝	Passed ✅	Failed ❌	Skipped ⏭️	Other ❓	Flaky 🍂	Duration ⏱️
#16	✅	7518	7518	0	0	0	0	26.8s

Insights

Average Tests per Run	Total Flaky Tests	Total Failed	Slowest Test (p95)
7518	0	0	44.1s

Slowest Tests

Test 📝	Results 📊	Duration (avg) ⏱️	Duration (p95) ⏱️
eldritch: random::string_impl::tests::test_string_uniform	9	40.2s	44.1s
eldritch: random::string_impl::tests::test_string_uniform	9	40.2s	44.1s
eldritch: random::string_impl::tests::test_string_uniform	9	40.2s	44.1s
eldritch: random::string_impl::tests::test_string_uniform	9	40.2s	44.1s
eldritch: random::string_impl::tests::test_string_uniform	9	40.2s	44.1s
eldritch: random::string_impl::tests::test_string_uniform	9	40.2s	44.1s
eldritch: random::string_impl::tests::test_string_uniform	9	40.2s	44.1s
eldritch: random::string_impl::tests::test_string_uniform	9	40.2s	44.1s
eldritch: random::string_impl::tests::test_string_uniform	9	40.2s	44.1s
eldritch: random::string_impl::tests::test_string_length	9	6.2s	11.0s

_{🎉 No failed tests in this run. | 🍂 No flaky tests in this run.}

Github Test Reporter by CTRF 💚

🔄 This comment has been updated

[Copilot]

Pull request overview

This PR adds DNS-based covert channel communication to Realm, enabling agents (Imix) to communicate with the C2 server (Tavern) through DNS queries and responses. The implementation includes:

• A DNS redirector in Tavern that receives DNS queries, parses encoded C2 traffic, forwards to upstream gRPC, and returns responses
• A DNS transport in Imix that encodes requests as DNS subdomains and decodes responses from DNS records
• Support for TXT, A, and AAAA record types with automatic resolver fallback
• Async windowed protocol with ACK/NACK for reliable UDP transmission
• Comprehensive test coverage for both client and server

Reviewed changes

Copilot reviewed 20 out of 22 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
tavern/internal/redirectors/dns/dns.go	DNS redirector implementation with packet handling, conversation management, and DNS protocol support
tavern/internal/redirectors/dns/dns_test.go	Comprehensive unit tests for DNS redirector functionality
implants/lib/transport/src/dns.rs	DNS transport client with chunking, windowing, retry logic, and record type support
tavern/internal/c2/proto/dns.proto	Protobuf definitions for DNS packet protocol
tavern/internal/ent/beacon/beacon.go	Added TRANSPORT_DNS enum value
docs/_docs/user-guide/imix.md	User documentation for DNS transport configuration
docs/_docs/dev-guide/imix.md	Developer guide for implementing new transports
Various Cargo.toml and build files	Build configuration for DNS feature

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hulto]

Don't do multi-domain here.
We're going to do multi transport in the agent logic which can include multiple domains on the same transport.

[KaliPatriot]

This is for the redirector, not the agent.