ARP poisoning causing the host to redirect traffic to a rogue gateway

ARP poisoning would mainly affect local layer-2 behavior, not produce repeated suspicious DNS subdomain lookups with NXDOMAIN responses.

A browser cache synchronization feature repeatedly polling a cloud service

Legitimate synchronization usually generates consistent service traffic and valid endpoints, not random-looking subdomains and repeated failures.

A misconfigured static route sending all web traffic to the wrong subnet

A routing error would affect broader connectivity, but it would not specifically create this distinctive DNS query pattern.

What does this SY0-701 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: DNS tunneling used for command-and-control or data transfer — The pattern is highly consistent with DNS tunneling or a DNS-based command-and-control channel. The subdomains are long and randomized, the requests mostly fail with NXDOMAIN, and there is no corresponding HTTP or HTTPS activity. Attackers often use DNS this way because it is widely allowed out of networks and can bypass traditional web filtering. The low TTL and repetitive structure further suggest automated beaconing rather than normal application behavior. Why others are wrong: ARP poisoning is a layer-2 attack and would not explain the specific DNS query pattern. A cloud sync client would normally contact known service endpoints and generate successful lookups, not repeated random subdomain failures. A bad static route could break connectivity, but it would not create a stream of structured DNS requests that look like encoded data or command traffic.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.