This is a tricky question.
Communication on port 53 (both TCP and UDP) is used by DNS but usage of port 53 itself does NOT mean that we are using DNS encapsulation.
For DNS tunneling to be successful, we need to use real DNS protocol (i. e. DNS headers) and payload, where exfiltrated data are placed as part of domain in question.
With no DNS encapsulation, traffic would NOT reach attackers destination server (resolution of queries by DNS server is needed here and forwarding them to the attacker's domain's authoritative DNS server).
So correct answer is "part of the domain name", which means we are talking about real DNS communication where domain name is used to exfiltrate data (not just any L4 protocol with port 53).
DNS Tunneling:
1. The attacker acquires a domain, for example, evilsite.com.
2. The attacker configures the domain’s name servers to his own DNS server.
3. The attacker delegates a subdomain, such as “tun.evilsite.com” and configures his machine as the subdomain’s authoritative DNS server.
4. Any DNS request made by the victim to “{data}.tun.evilsite.com” will end up reaching the attacker’s machine.
5. The attacker’s machine encodes a response that will get routed back to the victim’s machine.
6. A bidirectional data transfer channel is achieved using a DNS tunneling tool.
See diagram here:
https://www.cynet.com/attack-techniques-hands-on/how-hackers-use-dns-tunneling-to-own-your-network/
A is the answer.
Please check below:
https://www.infoblox.com/dns-security-resource-center/dns-security-issues-threats/dns-security-threats-data-exfiltration/
While DNS tunneling attacks typically use UDP due to its lightweight and connectionless nature, there are indeed methods and tools that leverage TCP for DNS tunneling.
Should be A:
During a DNS tunnelling attack, data is sent out to the attacker as part of the domain name. DNS tunnelling involves using DNS protocols to bypass traditional network security measures and establish a covert communication channel between an attacker-controlled server and a compromised device.
In a DNS tunnelling attack, the attacker embeds the data they want to exfiltrate or send out within the subdomains or labels of the domain name. By encoding the data in the domain name, the attacker can hide the information in DNS queries or responses.
The compromised device or malware on the device generates DNS queries or requests with the embedded data in the domain name. These queries are sent to the attacker-controlled DNS server. The attacker's DNS server interprets the embedded data in the domain name and extracts it from the DNS queries.
I'd go for B here, the exfiltrated information (data sent TO the attacker) cannot go as part of the domain name, it must be part of the payload. Check this questions, which can provide a little more enlightenment:
https://www.examtopics.com/discussions/cisco/view/64962-exam-350-701-topic-1-question-16-discussion/
The correct answer is A. as part of the domain name.
During a DNS tunneling attack, data is sent out to the attacker as part of the domain name. DNS (Domain Name System) is primarily designed to resolve domain names to IP addresses and vice versa. However, in a DNS tunneling attack, attackers exploit the DNS protocol to bypass traditional network security measures and exfiltrate data.
The data that is captured, is sent as the sub-domain dns query.
As Jessie45785 pointed out
https://blogs.blackberry.com/en/2023/03/dns-tunneling-guide-to-detection-and-prevention
The true is both A and B are correct but knowing how Cisco builds its questions I would go for A - there is also article which support my statement:
https://blogs.blackberry.com/en/2023/03/dns-tunneling-guide-to-detection-and-prevention
During a DNS tunneling attack, data is sent out to the attacker as part of the domain name. DNS (Domain Name System) is a protocol used to convert domain names into IP addresses that computers can use to communicate with each other over the internet. In a DNS tunneling attack, an attacker takes advantage of the fact that DNS requests and responses can contain more than just domain name information. The attacker can use the additional space in the DNS message to encode data, effectively tunneling it out through the DNS system.
B. Data can be sent out to the attacker during a DNS tunneling attack as part of the UDP/53 packet payload. In this type of attack, the attacker creates a covert communication channel over the DNS protocol by encoding data into the payload of DNS requests and responses. The encoded data is sent as part of the UDP/53 packet payload, which is normally used to carry DNS query and response messages. The data is then decoded by the attacker, who can use this information to gain unauthorized access to the target network or steal sensitive information.
DNS Tunneling is a method of cyber attack that encodes the data of other programs or protocols in DNS queries and responses. DNS tunneling often includes data payloads that can be added to an attacked DNS server and used to control a remote server and applications.
This section is not available anymore. Please use the main Exam Page.350-701 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
NikoNiko
Highly Voted 2Â years, 4Â months agoNikoNiko
2Â years, 4Â months agoleowulf
Highly Voted 2Â years, 2Â months agoMPoels
Most Recent 9Â months agoums008
1Â year, 4Â months agoDWizard
1Â year, 4Â months agoDWizard
1Â year, 4Â months agoGCalvo
1Â year, 6Â months agounclemonkeyboy
1Â year, 7Â months agoJessie45785
1Â year, 7Â months agoachille5
1Â year, 9Â months agosull3y
1Â year, 9Â months agoddev3737
1Â year, 10Â months agoEmlia1
2Â years agoFugashi
2Â years, 6Â months agoPwned
2Â years, 6Â months ago