Which indicator besides unusually long domain names helps spot DNS tunneling patterns?

Prepare for the Wireshark Traffic Analysis Exam. Study with flashcards and multiple choice questions, each question includes hints and explanations. Ace your exam!

Multiple Choice

Which indicator besides unusually long domain names helps spot DNS tunneling patterns?

Explanation:
DNS tunneling hides data inside DNS messages, so patterns that carry payloads through the DNS channel are key to spotting it. Besides unusually long domain names, seeing a high frequency of TXT records in DNS queries and responses is a strong indicator. TXT records are designed to hold arbitrary text, so attackers often encode and exfiltrate data within them, making TXT responses a telltale sign of tunneling activity. Other choices don’t map as directly to the tunneling pattern: NXDOMAIN bursts can happen for many reasons, a lot of A records are normal for standard name resolution, and TLS handshakes pertain to a different protocol layer entirely, not DNS.

DNS tunneling hides data inside DNS messages, so patterns that carry payloads through the DNS channel are key to spotting it. Besides unusually long domain names, seeing a high frequency of TXT records in DNS queries and responses is a strong indicator. TXT records are designed to hold arbitrary text, so attackers often encode and exfiltrate data within them, making TXT responses a telltale sign of tunneling activity. Other choices don’t map as directly to the tunneling pattern: NXDOMAIN bursts can happen for many reasons, a lot of A records are normal for standard name resolution, and TLS handshakes pertain to a different protocol layer entirely, not DNS.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy