A
The use of NULL queries in DNS traffic, also known as NULL QTYPE or QTYPE 10, can be associated with certain DNS tunneling or reconnaissance techniques. While NULL queries are part of the DNS protocol (defined in RFC 1035), their usage for legitimate purposes is limited. When NULL queries are observed in DNS traffic, it might indicate potential security concerns or be associated with specific attacks
It's the same picture used in hack.lu CTF:
Here the write-up (already mentioned by "weganos" in his comment) where it's explained the DNS tunnel technique:
Hack.lu CTF - Challenge 9 "bottle" writeup, extracting data from an iodine DNS tunnel
(https://blog.stalkr.net/2010/10/hacklu-ctf-challenge-9-bottle-writeup.html)
Comparing PCAPS of Amplification VS Tunneling, it's clear that Amplification involves many standard query responses and MANY less queries. DNS Tunneling is much more feasible in this situation because of the back and forth communication between source and dest. and the conversation of QUERY > REQUEST > QUERY > REQUEST and so forth.
DNS tunneling involves using the DNS protocol to create a covert communication channel between two endpoints. This is achieved by encoding data within DNS queries or responses, which can then be sent between the endpoints without detection by security systems. DNS tunneling can be used to bypass firewalls, exfiltrate data, or carry out other malicious activities.
DNS amplification, on the other hand, involves exploiting the characteristics of the DNS protocol to amplify the volume of traffic directed at a target server. This is achieved by sending a small DNS query to a DNS server that is configured to respond with a much larger DNS response. The attacker can then spoof the source IP address of the query, causing the amplified response to be sent to the target server. This can result in a DDoS (Distributed Denial of Service) attack, where the target server is overwhelmed with traffic and becomes unavailable to legitimate users.
In the case of DNS amplification, the log file would show a large number of requests coming from a spoofed source IP address, directed at open DNS resolvers. The responses from the resolvers would be much larger than the requests, resulting in a high volume of traffic being sent to the target.
Similarly in DNS tunneling, the log file would show a large number of DNS requests and responses, but with a much lower volume of traffic compared to an amplification attack. Additionally, the logs would show that the *requests and responses contain data* that is not typical of normal DNS traffic, indicating that it is being used to exfiltrate data.
Is this an actual CISCO question? It seems to be a CTF on Hack.lu. Here's a write-up: https://blog.stalkr.net/2010/10/hacklu-ctf-challenge-9-bottle-writeup.html
The Answer is A: DNS tunneling
This section is not available anymore. Please use the main Exam Page.200-201 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
dusanhu
6 months, 2 weeks agoRoBery
1 year, 3 months agoMax_DeJaV
1 year, 8 months agoIsuckatexams
1 year, 11 months agoIsuckatexams
1 year, 11 months agodrdecker100
2 years, 2 months agosami43
2 years, 2 months agoweganos
2 years, 4 months agowynrox
2 years, 4 months agoMaliDong
2 years, 6 months agocy_analyst
2 years, 6 months agoapebrz
2 years, 6 months ago