CompTIA Security+ (SY0-501) — Question 846

A security administrator has completed a monthly review of DNS server query logs. The administrator notices continuous name resolution attempts from a large number of internal hosts to a single Internet addressable domain name. The security administrator then correlated those logs with the establishment of persistent
TCP connections out to this domain. The connections seem to be carrying on the order of kilobytes of data per week.
Which of the following is the MOST likely explanation for this anomaly?

Answer options

• A. An attacker is exfiltrating large amounts of proprietary company data.
• B. Employees are playing multiplayer computer games.
• C. A worm is attempting to spread to other hosts via SMB exploits.
• D. Internal hosts have become members of a botnet.

Correct answer: D

Explanation

The correct answer is D because the observed behavior of multiple internal hosts making repeated DNS queries and establishing persistent connections to an external domain is characteristic of botnet activity. The other options suggest different causes, but they do not align with the combination of high-frequency DNS queries and ongoing data transfers indicative of botnet behavior.