nerdexam
GIAC

GCIH · Question #527

You are reviewing summarized logs from your central log server. You see a large number of packets from an internal host traveling to your primary DNS server with a destination port of TCP 53. Which of

The correct answer is D. Zone transfer requests are being made to your DNS server. DNS zone transfers take place using TCP port 53. Normal DNS queries and responses use UDP port 53. A port scan is not likely to generate only TCP port 53 traffic and a rootkit attempt to hide its presence, so it is not likely to do anything that results in a large number of log e

Reconnaissance, Scanning, and Enumeration

Question

You are reviewing summarized logs from your central log server. You see a large number of packets from an internal host traveling to your primary DNS server with a destination port of TCP 53. Which of the following is a likely reason for this traffic?

Options

  • AAn attacker ran a port scan against your DNS servers
  • BYour DNS server has been compromised with a rootkit
  • COne of your web sites has recently changed IP addresses and the DNS server received the
  • DZone transfer requests are being made to your DNS server

How the community answered

(44 responses)
  • A
    5% (2)
  • B
    9% (4)
  • C
    11% (5)
  • D
    75% (33)

Explanation

DNS zone transfers take place using TCP port 53. Normal DNS queries and responses use UDP port 53. A port scan is not likely to generate only TCP port 53 traffic and a rootkit attempt to hide its presence, so it is not likely to do anything that results in a large number of log entries.

Topics

#DNS zone transfer#TCP port 53#log analysis#DNS reconnaissance

Community Discussion

No community discussion yet for this question.

Full GCIH Practice