Source: Cisco Security Research
In this case, “uses” doesn’t necessarily mean “as a vector,” but rather than DNS resolution is integral to the attack, e.g., for resolving the name of a C&C server.
Can also use NULL RRs and binary RDATA (lower overhead)
If you’re not worried about (or can detect) Microsoft DNS Servers, you can use binary labels (more efficient)