GIAC
GCIH · Question #437
GCIH Question #437: Real Exam Question with Answer & Explanation
The correct answer is D: A cache poisoning attack in progress. DNS packets arriving with incorrect query IDs are a hallmark indicator of a DNS cache poisoning attack, where an attacker attempts to inject forged responses.
Question
A systems administrator notices an increase in errors in a DNS server log. Further investigation determines the errors are related to incoming DNS packets with incorrect query ID's. What type of activity is the likely cause of these errors?
Options
- AClients browsing to blocked websites
- BUnauthorized zone transfer requests
- CBot command and control traffic
- DA cache poisoning attack in progress
Explanation
DNS packets arriving with incorrect query IDs are a hallmark indicator of a DNS cache poisoning attack, where an attacker attempts to inject forged responses.
Common mistakes.
- A. Clients browsing blocked websites generate NXDOMAIN responses or policy-based redirects, not a flood of packets with mismatched query IDs.
- B. Unauthorized zone transfer requests use AXFR or IXFR DNS record types directed at the authoritative server, which would not produce query ID mismatch errors.
- C. Bot command and control traffic typically uses legitimate DNS queries with valid, matching query IDs to resolve C2 domain names, not malformed packets.
Concept tested. DNS cache poisoning detection via query ID mismatches
Community Discussion
No community discussion yet for this question.