An NDR tool shows a production web server sending small, periodic DNS queries to random-looking subdomains under a domain the company does not use. The pattern repeats every 60 seconds, even when normal web traffic is idle. What is the best interpretation and next step?
Regular outbound DNS queries to random subdomains can indicate tunneling or command-and-control traffic. The fact that it repeats at a fixed interval strengthens that suspicion. The best next step is to contain the host so the activity cannot continue, while preserving logs and packet captures for investigation. This lets the team determine whether malware, a rogue process, or a misconfiguration is responsible without losing evidence.
Why this answer
The small, periodic DNS queries to random-looking subdomains under an unused domain are a classic indicator of DNS-based command-and-control (C2) communication. Attackers often use DNS tunneling to exfiltrate data or send commands, as DNS traffic is typically allowed through firewalls. The fact that the pattern persists even during idle web traffic confirms it is not related to normal server operations, making isolation and forensic collection the appropriate next step.
How to eliminate wrong answers
Option A is wrong because periodic DNS queries to random subdomains under an unused domain are not normal DNS behavior; legitimate DNS queries are typically for known, resolvable domains and do not exhibit a consistent 60-second pattern during idle periods. Option C is wrong because rotating the DNS server's administrator password does not address the compromised web server's outbound C2 traffic; the server itself must be isolated and investigated. Option D is wrong because certificate renewal checks use well-known domains (e.g., from a Certificate Authority) and do not involve random-looking subdomains under an unused domain; ignoring the alert could allow persistent C2 activity to continue.