CAS-003 · Question #692
CAS-003 Question #692: Real Exam Question with Answer & Explanation
The correct answer is A: Block all outbound traffic from the guest network at the border firewall. The clues - unusual traffic from an unauthenticated guest network, network slowdown, and notably long domain names in DNS logs - strongly suggest DNS tunneling. In DNS tunneling, attackers encode data within DNS query strings (producing abnormally long domain names) to exfiltrate
Question
Options
- ABlock all outbound traffic from the guest network at the border firewall
- BVerify the passphrase on the guest network has not been changed.
- CSearch antivirus logs for evidence of a compromised company device
- DReview access pent fogs to identify potential zombie services
Explanation
The clues - unusual traffic from an unauthenticated guest network, network slowdown, and notably long domain names in DNS logs - strongly suggest DNS tunneling. In DNS tunneling, attackers encode data within DNS query strings (producing abnormally long domain names) to exfiltrate data or communicate with a command-and-control server, bypassing typical DDoS detection. Since no users are authenticated, the traffic has no legitimate source. The correct immediate response is containment: block all outbound traffic from the guest network at the firewall to stop the attack while preserving logs for investigation. Checking the passphrase (B) is irrelevant since no captive portal authentication is occurring. Antivirus logs (C) would cover corporate devices, not the guest network. Reviewing access logs (D) is investigative, not a containment action.
Community Discussion
No community discussion yet for this question.