ExamGecko
Question list
Search
Search

List of questions

Search

Related questions











Question 99 - CS0-003 discussion

Report
Export

A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:

* DNS traffic while a tunneling session is active.

* The mean time between queries is less than one second.

* The average query length exceeds 100 characters.

Which of the following attacks most likely occurred?

A.
DNS exfiltration
Answers
A.
DNS exfiltration
B.
DNS spoofing
Answers
B.
DNS spoofing
C.
DNS zone transfer
Answers
C.
DNS zone transfer
D.
DNS poisoning
Answers
D.
DNS poisoning
Suggested answer: A

Explanation:

DNS exfiltration is a technique that uses the DNS protocol to transfer data from a compromised network or device to an attacker-controlled server. DNS exfiltration can bypass firewall rules and security products that do not inspect DNS traffic. The characteristics of the suspicious DNS traffic in the question match the indicators of DNS exfiltration, such as:

DNS traffic while a tunneling session is active: This implies that the DNS protocol is being used to create a covert channel for data transfer.

The mean time between queries is less than one second: This implies that the DNS queries are being sent at a high frequency to maximize the amount of data transferred.

The average query length exceeds 100 characters: This implies that the DNS queries are encoding large amounts of data in the subdomains or other fields of the DNS packets.

Official

Reference:

https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives

https://resources.infosecinstitute.com/topic/bypassing-security-products-via-dns-data-exfiltration/

https://www.reddit.com/r/CompTIA/comments/nvjuzt/dns_exfiltration_explanation/

asked 02/10/2024
Krishan Randitha
42 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first