The answer is DNS tunneling used for command-and-control or data transfer. This is correct because the exhibit shows a host with minimal internet-bound traffic yet highly unusual DNS behavior, such as frequent queries to a single domain or abnormally large DNS query sizes—a classic sign that data is being encoded within DNS packets to bypass network controls. On the Security+ SY0-701 exam, this scenario tests your ability to recognize covert channels and anomalous traffic patterns, often appearing as a “most likely explanation” question where the trap is confusing DNS tunneling with a simple DNS amplification attack or malware download. The key differentiator is the lack of other traffic: normal web browsing or data transfers would generate HTTP/HTTPS activity, whereas DNS tunneling relies solely on DNS to exfiltrate data or maintain C2 communication. Memory tip: “DNS doesn’t dance alone—if it’s the only traffic, think tunneling.”
SY0-701 Threats, Vulnerabilities, and Mitigations Practice Question
This SY0-701 practice question tests your understanding of threats, vulnerabilities, and mitigations. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: dNS tunneling encodes data within DNS queries and responses.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
DNS query log excerpt:
Host: CORP-LT-17
16:18:02 a9f3d1k2d.update-check.com A NXDOMAIN
16:18:03 b7p9q2s1n.update-check.com A NXDOMAIN
16:18:04 k8z1m4c7r.update-check.com A NXDOMAIN
16:18:05 u3n6t9x0v.update-check.com A NXDOMAIN
16:18:06 9q2m7a4p1.update-check.com A NXDOMAIN
Proxy log excerpt:
No corresponding HTTP or HTTPS sessions observed
TTL observed: 60 seconds on all queries
Based on the exhibit, what is the MOST likely explanation for the network traffic?
The affected host is not showing a large amount of internet-bound traffic, but its DNS behavior is highly unusual.
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
DNS query log excerpt:
Host: CORP-LT-17
16:18:02 a9f3d1k2d.update-check.com A NXDOMAIN
16:18:03 b7p9q2s1n.update-check.com A NXDOMAIN
16:18:04 k8z1m4c7r.update-check.com A NXDOMAIN
16:18:05 u3n6t9x0v.update-check.com A NXDOMAIN
16:18:06 9q2m7a4p1.update-check.com A NXDOMAIN
Proxy log excerpt:
No corresponding HTTP or HTTPS sessions observed
TTL observed: 60 seconds on all queries
A
DNS tunneling used for command-and-control or data transfer
The long random-looking subdomains, repeated NXDOMAIN responses, and lack of normal web traffic are consistent with malicious DNS-based communication.
B
ARP poisoning causing the host to redirect traffic to a rogue gateway
Why wrong: ARP poisoning would mainly affect local layer-2 behavior, not produce repeated suspicious DNS subdomain lookups with NXDOMAIN responses.
C
A browser cache synchronization feature repeatedly polling a cloud service
Why wrong: Legitimate synchronization usually generates consistent service traffic and valid endpoints, not random-looking subdomains and repeated failures.
D
A misconfigured static route sending all web traffic to the wrong subnet
Why wrong: A routing error would affect broader connectivity, but it would not specifically create this distinctive DNS query pattern.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
DNS tunneling used for command-and-control or data transfer
The exhibit shows a host with minimal internet-bound traffic but highly unusual DNS behavior, such as frequent queries to a single domain or large DNS query sizes. This pattern is characteristic of DNS tunneling, where data is encoded in DNS queries and responses to bypass network controls, often used for command-and-control (C2) communication or covert data exfiltration. The lack of other traffic indicates the host is not performing normal web browsing or data transfers, making DNS tunneling the most likely explanation.
Key principle: DNS tunneling encodes data within DNS queries and responses.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
DNS tunneling used for command-and-control or data transfer
Why this is correct
The long random-looking subdomains, repeated NXDOMAIN responses, and lack of normal web traffic are consistent with malicious DNS-based communication.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
DNS tunneling encodes data within DNS queries and responses.
✗
ARP poisoning causing the host to redirect traffic to a rogue gateway
Why it's wrong here
ARP poisoning would mainly affect local layer-2 behavior, not produce repeated suspicious DNS subdomain lookups with NXDOMAIN responses.
✗
A browser cache synchronization feature repeatedly polling a cloud service
Why it's wrong here
Legitimate synchronization usually generates consistent service traffic and valid endpoints, not random-looking subdomains and repeated failures.
✗
A misconfigured static route sending all web traffic to the wrong subnet
Why it's wrong here
A routing error would affect broader connectivity, but it would not specifically create this distinctive DNS query pattern.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates may overlook the significance of 'unusual DNS behavior' and minimal internet traffic, instead focusing on common attacks like ARP poisoning or benign browser features, which would produce different traffic patterns (e.g., high traffic or periodic HTTP requests).
Detailed technical explanation
How to think about this question
DNS tunneling exploits the DNS protocol by encoding data in the subdomain labels of queries or in TXT record responses, allowing attackers to bypass firewalls and proxies that do not inspect DNS traffic. Tools like dnscat2 or Iodine use this technique to create a bidirectional tunnel, with the DNS server acting as a relay to a C2 server. In real-world scenarios, this is often detected by analyzing DNS query entropy, volume, or the presence of base64-encoded subdomains.
KKey Concepts to Remember
DNS tunneling encodes data within DNS queries and responses.
It often uses long, random-looking subdomains for data exfiltration.
NXDOMAIN responses can be part of the communication channel.
DNS tunneling can bypass firewalls that only inspect common web ports.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
DNS tunneling encodes data within DNS queries and responses.
Real-world example
How this comes up in practice
A SOC analyst notices unusual lateral movement in the network at 2 AM. The IR playbook dictates: identify and contain (isolate the affected machine), then eradicate (remove the malware), then recover (restore from backup), then document. Skipping containment before eradication risks the attacker regaining access. Questions like this test the sequence and rationale of incident response phases.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this SY0-701 question in full detail.
Review dNS tunneling encodes data within DNS queries and responses., then practise related SY0-701 questions on the same topic to reinforce the concept.
Threats, Vulnerabilities, and Mitigations — This question tests Threats, Vulnerabilities, and Mitigations — DNS tunneling encodes data within DNS queries and responses..
What is the correct answer to this question?
The correct answer is: DNS tunneling used for command-and-control or data transfer — The exhibit shows a host with minimal internet-bound traffic but highly unusual DNS behavior, such as frequent queries to a single domain or large DNS query sizes. This pattern is characteristic of DNS tunneling, where data is encoded in DNS queries and responses to bypass network controls, often used for command-and-control (C2) communication or covert data exfiltration. The lack of other traffic indicates the host is not performing normal web browsing or data transfers, making DNS tunneling the most likely explanation.
What should I do if I get this SY0-701 question wrong?
Review dNS tunneling encodes data within DNS queries and responses., then practise related SY0-701 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
DNS tunneling encodes data within DNS queries and responses.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.