The correct answer is that the workstation has been redirected to an approved corporate proxy, so the event is expected. This is because the alert shows DNS redirection to an internal proxy at 10.0.0.53, a private IP address, which is a standard security control in enterprise networks where DNS queries are intercepted and forwarded to a transparent proxy for content filtering and monitoring. On the Security+ SY0-701 exam, this scenario tests your ability to distinguish between malicious DNS manipulation and legitimate corporate configurations, often appearing in log analysis or incident response questions. A common trap is assuming any DNS redirection is an attack, like DNS spoofing or pharming, but the key differentiator is the destination IP being within the organization’s private range and explicitly approved. Memory tip: “Private IP, proxy trip—no alarm, no slip.”
SY0-701 Security Operations Practice Question
This SY0-701 practice question tests your understanding of security operations. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Network and endpoint logs for workstation WS-204
10:12:08 DNS query from WS-204 to 10.20.1.15 for wpad.corp.local
10:12:09 HTTP request from WS-204 to 10.20.1.15 for /wpad.dat
10:12:10 Proxy auto-detect enabled in browser policy
10:12:11 Traffic from WS-204 now exits through proxy 10.20.1.15
Asset inventory:
- 10.20.1.15 = CORP-PROXY01
- CORP-PROXY01 is listed as the approved outbound web proxy
Based on the exhibit, what is the most likely explanation for the alert?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Network and endpoint logs for workstation WS-204
10:12:08 DNS query from WS-204 to 10.20.1.15 for wpad.corp.local
10:12:09 HTTP request from WS-204 to 10.20.1.15 for /wpad.dat
10:12:10 Proxy auto-detect enabled in browser policy
10:12:11 Traffic from WS-204 now exits through proxy 10.20.1.15
Asset inventory:
- 10.20.1.15 = CORP-PROXY01
- CORP-PROXY01 is listed as the approved outbound web proxy
A
The workstation has been redirected to an approved corporate proxy, so the event is expected.
The exhibit shows the workstation resolving WPAD, retrieving the proxy auto-configuration file, and then sending traffic to the approved proxy listed in inventory. Those steps match normal browser proxy discovery, not malicious behavior. Because the destination is the known corporate proxy, the alert should be validated as legitimate and then tuned if it repeatedly fires on the same approved sequence.
B
A DNS cache poisoning attack is in progress and the workstation is now using a rogue gateway.
Why wrong: A poisoned cache would usually point traffic to an unexpected address. Here, the destination matches the approved proxy inventory entry.
C
The endpoint is infected with malware that is hiding its traffic through encrypted tunnels.
Why wrong: There is no evidence of suspicious processes, unexpected destinations, or command execution. The logs show browser proxy discovery behavior.
D
The workstation is under a denial-of-service attack because it sent repeated DNS lookups.
Why wrong: The sequence is short and intentional, not a flood. WPAD and proxy discovery normally generate these requests during browser startup.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The workstation has been redirected to an approved corporate proxy, so the event is expected.
The alert indicates that the workstation's DNS traffic is being redirected to an internal proxy server (10.0.0.53), which is a common configuration in corporate environments for content filtering and security monitoring. Since the destination IP (10.0.0.53) is within the organization's private IP range and the proxy is explicitly approved, this behavior is expected and not malicious. The event is consistent with a transparent proxy or DNS-based proxy redirection, where the workstation's DNS queries are intercepted and forwarded to the corporate proxy.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
The workstation has been redirected to an approved corporate proxy, so the event is expected.
Why this is correct
The exhibit shows the workstation resolving WPAD, retrieving the proxy auto-configuration file, and then sending traffic to the approved proxy listed in inventory. Those steps match normal browser proxy discovery, not malicious behavior. Because the destination is the known corporate proxy, the alert should be validated as legitimate and then tuned if it repeatedly fires on the same approved sequence.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
✗
A DNS cache poisoning attack is in progress and the workstation is now using a rogue gateway.
Why it's wrong here
A poisoned cache would usually point traffic to an unexpected address. Here, the destination matches the approved proxy inventory entry.
✗
The endpoint is infected with malware that is hiding its traffic through encrypted tunnels.
Why it's wrong here
There is no evidence of suspicious processes, unexpected destinations, or command execution. The logs show browser proxy discovery behavior.
✗
The workstation is under a denial-of-service attack because it sent repeated DNS lookups.
Why it's wrong here
The sequence is short and intentional, not a flood. WPAD and proxy discovery normally generate these requests during browser startup.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often assume any DNS redirection to an internal IP indicates a man-in-the-middle attack or DNS poisoning, but they overlook that corporate proxies legitimately use this technique for security monitoring and content filtering.
Trap categories for this question
Command / output trap
There is no evidence of suspicious processes, unexpected destinations, or command execution. The logs show browser proxy discovery behavior.
Detailed technical explanation
How to think about this question
In many enterprise networks, DNS-based proxy redirection is implemented using a DNS forwarder or a proxy server that responds to DNS queries with the proxy's IP address, effectively routing all web traffic through the proxy. This is often configured via Group Policy or DHCP option 6, where the workstation is assigned a DNS server that resolves all domain names to the proxy's IP (10.0.0.53). A subtle behavior is that the workstation may still show the original destination in DNS logs, but the actual HTTP/HTTPS traffic is proxied, which can confuse analysts who see DNS queries to internal IPs for external domains.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Security exam questions test whether you can match controls to threats in context — not just recall definitions.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this SY0-701 question in full detail.
Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The workstation has been redirected to an approved corporate proxy, so the event is expected. — The alert indicates that the workstation's DNS traffic is being redirected to an internal proxy server (10.0.0.53), which is a common configuration in corporate environments for content filtering and security monitoring. Since the destination IP (10.0.0.53) is within the organization's private IP range and the proxy is explicitly approved, this behavior is expected and not malicious. The event is consistent with a transparent proxy or DNS-based proxy redirection, where the workstation's DNS queries are intercepted and forwarded to the corporate proxy.
What should I do if I get this SY0-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.