210-255 · Question #21
When performing threat hunting against a DNS server, which traffic toward the affected domain is considered a starting point?
The correct answer is D. UDP traffic. DNS primarily uses UDP port 53 for queries and responses, making UDP traffic the natural starting point when threat hunting DNS server activity.
Question
When performing threat hunting against a DNS server, which traffic toward the affected domain is considered a starting point?
Options
- AHTTPS traffic
- BTCP traffic
- CHTTP traffic
- DUDP traffic
How the community answered
(51 responses)- A14% (7)
- B8% (4)
- C4% (2)
- D75% (38)
Why each option
DNS primarily uses UDP port 53 for queries and responses, making UDP traffic the natural starting point when threat hunting DNS server activity.
HTTPS traffic operates over TCP port 443 and is unrelated to the DNS protocol stack used by a DNS server.
While DNS does use TCP for zone transfers and large responses, UDP is the primary and default transport for standard DNS queries, so TCP broadly is not the correct starting point.
HTTP traffic operates over TCP port 80 and has no role in standard DNS server communication or DNS-focused threat hunting.
DNS uses UDP port 53 as its default transport protocol for name resolution queries and responses. When threat hunting against a DNS server, analysts begin by filtering for UDP traffic because the vast majority of DNS communication occurs over UDP. Anomalies in UDP/53 traffic - such as unusually large payloads, high query volumes, or encoded subdomains - are key indicators of DNS-based attacks like tunneling or data exfiltration.
Concept tested: DNS default transport protocol for threat hunting
Source: https://www.rfc-editor.org/rfc/rfc1035
Topics
Community Discussion
No community discussion yet for this question.