GIAC
GCIH · Question #527
GCIH Question #527: Real Exam Question with Answer & Explanation
The correct answer is D: Zone transfer requests are being made to your DNS server. DNS zone transfers take place using TCP port 53. Normal DNS queries and responses use UDP port 53. A port scan is not likely to generate only TCP port 53 traffic and a rootkit attempt to hide its presence, so it is not likely to do anything that results in a large number of log e
Question
You are reviewing summarized logs from your central log server. You see a large number of packets from an internal host traveling to your primary DNS server with a destination port of TCP 53. Which of the following is a likely reason for this traffic?
Options
- AAn attacker ran a port scan against your DNS servers
- BYour DNS server has been compromised with a rootkit
- COne of your web sites has recently changed IP addresses and the DNS server received the
- DZone transfer requests are being made to your DNS server
Explanation
DNS zone transfers take place using TCP port 53. Normal DNS queries and responses use UDP port 53. A port scan is not likely to generate only TCP port 53 traffic and a rootkit attempt to hide its presence, so it is not likely to do anything that results in a large number of log entries.
Community Discussion
No community discussion yet for this question.