CompTIA CySA+ (CS0-003) — Question 105

A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:

• DNS traffic while a tunneling session is active.
• The mean time between queries is less than one second.
• The average query length exceeds 100 characters.

Which of the following attacks most likely occurred?

Answer options

• A. DNS exfiltration
• B. DNS spoofing
• C. DNS zone transfer
• D. DNS poisoning

Correct answer: A

Explanation

The correct answer is DNS exfiltration because the characteristics of the DNS traffic suggest that data is being covertly transferred out of the network. Other options, such as DNS spoofing, DNS zone transfer, and DNS poisoning, do not typically involve such rapid query rates or unusually long query lengths associated with data exfiltration.