CS0-003 · Question #293
CS0-003 Question #293: Real Exam Question with Answer & Explanation
The correct answer is A: DNS exfiltration. The observed DNS traffic characteristics, including active tunneling, rapid queries, and unusually long query lengths, are strong indicators of data being covertly transmitted over DNS.
Question
A security analyst has found the following suspicious DNS traffic while analyzing a packet capture: - DNS traffic while a tunneling session is active. - The mean time between queries is less than one second. - The average query length exceeds 100 characters. Which of the following attacks most likely occurred?
Options
- ADNS exfiltration
- BDNS spoofing
- CDNS zone transfer
- DDNS poisoning
Explanation
The observed DNS traffic characteristics, including active tunneling, rapid queries, and unusually long query lengths, are strong indicators of data being covertly transmitted over DNS.
Common mistakes.
- B. DNS spoofing involves an attacker providing false DNS resolution to redirect traffic, which does not directly align with the described traffic patterns of high frequency and long queries.
- C. DNS zone transfer is a legitimate process for replicating DNS zone files between DNS servers and typically involves specific query types and patterns, not generally rapid, long, or tunneled queries indicative of data transfer.
- D. DNS poisoning involves injecting corrupt DNS data into a resolver's cache to misdirect queries, which does not explain the observation of rapid, long, and tunneled DNS queries as a means of data transmission.
Concept tested. Detecting DNS exfiltration indicators
Topics
Community Discussion
No community discussion yet for this question.