Question 473 of 1,152
Security OperationsmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is that the workstation has been redirected to an approved corporate proxy, so the event is expected. This is because the alert shows DNS redirection to an internal proxy at 10.0.0.53, a private IP address, which is a standard security control in enterprise networks where DNS queries are intercepted and forwarded to a transparent proxy for content filtering and monitoring. On the Security+ SY0-701 exam, this scenario tests your ability to distinguish between malicious DNS manipulation and legitimate corporate configurations, often appearing in log analysis or incident response questions. A common trap is assuming any DNS redirection is an attack, like DNS spoofing or pharming, but the key differentiator is the destination IP being within the organization’s private range and explicitly approved. Memory tip: “Private IP, proxy trip—no alarm, no slip.”

SY0-701 Security Operations Practice Question

This SY0-701 practice question tests your understanding of security operations. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Network and endpoint logs for workstation WS-204

10:12:08  DNS query from WS-204 to 10.20.1.15 for wpad.corp.local
10:12:09  HTTP request from WS-204 to 10.20.1.15 for /wpad.dat
10:12:10  Proxy auto-detect enabled in browser policy
10:12:11  Traffic from WS-204 now exits through proxy 10.20.1.15

Asset inventory:
- 10.20.1.15 = CORP-PROXY01
- CORP-PROXY01 is listed as the approved outbound web proxy

Based on the exhibit, what is the most likely explanation for the alert?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

Exhibit

Network and endpoint logs for workstation WS-204

10:12:08  DNS query from WS-204 to 10.20.1.15 for wpad.corp.local
10:12:09  HTTP request from WS-204 to 10.20.1.15 for /wpad.dat
10:12:10  Proxy auto-detect enabled in browser policy
10:12:11  Traffic from WS-204 now exits through proxy 10.20.1.15

Asset inventory:
- 10.20.1.15 = CORP-PROXY01
- CORP-PROXY01 is listed as the approved outbound web proxy

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The workstation has been redirected to an approved corporate proxy, so the event is expected.

The alert indicates that the workstation's DNS traffic is being redirected to an internal proxy server (10.0.0.53), which is a common configuration in corporate environments for content filtering and security monitoring. Since the destination IP (10.0.0.53) is within the organization's private IP range and the proxy is explicitly approved, this behavior is expected and not malicious. The event is consistent with a transparent proxy or DNS-based proxy redirection, where the workstation's DNS queries are intercepted and forwarded to the corporate proxy.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The workstation has been redirected to an approved corporate proxy, so the event is expected.

    Why this is correct

    The exhibit shows the workstation resolving WPAD, retrieving the proxy auto-configuration file, and then sending traffic to the approved proxy listed in inventory. Those steps match normal browser proxy discovery, not malicious behavior. Because the destination is the known corporate proxy, the alert should be validated as legitimate and then tuned if it repeatedly fires on the same approved sequence.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • A DNS cache poisoning attack is in progress and the workstation is now using a rogue gateway.

    Why it's wrong here

    A poisoned cache would usually point traffic to an unexpected address. Here, the destination matches the approved proxy inventory entry.

  • The endpoint is infected with malware that is hiding its traffic through encrypted tunnels.

    Why it's wrong here

    There is no evidence of suspicious processes, unexpected destinations, or command execution. The logs show browser proxy discovery behavior.

  • The workstation is under a denial-of-service attack because it sent repeated DNS lookups.

    Why it's wrong here

    The sequence is short and intentional, not a flood. WPAD and proxy discovery normally generate these requests during browser startup.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume any DNS redirection to an internal IP indicates a man-in-the-middle attack or DNS poisoning, but they overlook that corporate proxies legitimately use this technique for security monitoring and content filtering.

Trap categories for this question

  • Command / output trap

    There is no evidence of suspicious processes, unexpected destinations, or command execution. The logs show browser proxy discovery behavior.

Detailed technical explanation

How to think about this question

In many enterprise networks, DNS-based proxy redirection is implemented using a DNS forwarder or a proxy server that responds to DNS queries with the proxy's IP address, effectively routing all web traffic through the proxy. This is often configured via Group Policy or DHCP option 6, where the workstation is assigned a DNS server that resolves all domain names to the proxy's IP (10.0.0.53). A subtle behavior is that the workstation may still show the original destination in DNS logs, but the actual HTTP/HTTPS traffic is proxied, which can confuse analysts who see DNS queries to internal IPs for external domains.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Security exam questions test whether you can match controls to threats in context — not just recall definitions.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SY0-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SY0-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SY0-701 question test?

Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The workstation has been redirected to an approved corporate proxy, so the event is expected. — The alert indicates that the workstation's DNS traffic is being redirected to an internal proxy server (10.0.0.53), which is a common configuration in corporate environments for content filtering and security monitoring. Since the destination IP (10.0.0.53) is within the organization's private IP range and the proxy is explicitly approved, this behavior is expected and not malicious. The event is consistent with a transparent proxy or DNS-based proxy redirection, where the workstation's DNS queries are intercepted and forwarded to the corporate proxy.

What should I do if I get this SY0-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.