I think that dns.google is not a nasty domain, but honestly I'm not sure and haven't much investigated this.
dns.google is Google's public DNS server. They're just using its HTTP API to do a DNS lookup for poolio.magratmail.xyz and get its IP address. Although, since their script installed curl via apt, I wonder why they didn't just install dnsutils and use nslookup or dig 🤔
It may be an easy way to avoid being stopped by a security tool watching outbound DNS traffic and flagging lookups to suspicious sites. .xyz is a suspicious TLD andpoolio.magratmail.xyz may get flagged. The http request to dns.google is encrypted, you don't know what they're resolving by inspecting the wire.
dns.google is Google's public DNS server. They're just using its HTTP API to do a DNS lookup for
poolio.magratmail.xyz
and get its IP address. Although, since their script installedcurl
viaapt
, I wonder why they didn't just installdnsutils
and usenslookup
ordig
🤔It may be an easy way to avoid being stopped by a security tool watching outbound DNS traffic and flagging lookups to suspicious sites. .xyz is a suspicious TLD and
poolio.magratmail.xyz
may get flagged. The http request to dns.google is encrypted, you don't know what they're resolving by inspecting the wire.That's a great point! I didn't even consider that. Pretty clever if that's the case.