GIAC
GCIH · Question #527
You are reviewing summarized logs from your central log server. You see a large number of packets from an internal host traveling to your primary DNS server with a destination port of TCP 53. Which of
The correct answer is D. Zone transfer requests are being made to your DNS server. DNS zone transfers take place using TCP port 53. Normal DNS queries and responses use UDP port 53. A port scan is not likely to generate only TCP port 53 traffic and a rootkit attempt to hide its presence, so it is not likely to do anything that results in a large number of log e
Reconnaissance, Scanning, and Enumeration
Question
You are reviewing summarized logs from your central log server. You see a large number of packets from an internal host traveling to your primary DNS server with a destination port of TCP 53. Which of the following is a likely reason for this traffic?
Options
- AAn attacker ran a port scan against your DNS servers
- BYour DNS server has been compromised with a rootkit
- COne of your web sites has recently changed IP addresses and the DNS server received the
- DZone transfer requests are being made to your DNS server
How the community answered
(44 responses)- A5% (2)
- B9% (4)
- C11% (5)
- D75% (33)
Explanation
DNS zone transfers take place using TCP port 53. Normal DNS queries and responses use UDP port 53. A port scan is not likely to generate only TCP port 53 traffic and a rootkit attempt to hide its presence, so it is not likely to do anything that results in a large number of log entries.
Topics
#DNS zone transfer#TCP port 53#log analysis#DNS reconnaissance
Community Discussion
No community discussion yet for this question.