A security analyst discovers that an attacker exfiltrated data using DNS tunneling. Which TWO controls should be implemented to detect or prevent this? (Select two.)
Unusually large or frequent queries may indicate tunneling.
Why this answer
Option A is correct because DNS tunneling often involves unusually large query sizes (e.g., encoded data in subdomains) and abnormal query frequencies (e.g., thousands of requests per minute). Monitoring these metrics allows analysts to spot deviations from baseline behavior, which is a key detection technique for exfiltration via DNS. Option B is correct because a DNS sinkhole redirects malicious or suspicious DNS queries to a controlled IP address, effectively blocking the resolution of domains used for tunneling and preventing data from reaching the attacker's command-and-control server.
Exam trap
Cisco often tests the misconception that DNSSEC or disabling recursion can stop DNS tunneling, but DNSSEC only signs records and does not inspect payloads, while disabling recursion breaks internal resolution without affecting external tunneling via forwarders.