Exam CFR-310 topic 1 question 27 discussion

B. Dnscat2 Explanation: Dnscat2 is a tool used for creating DNS-based command and control (C2) channels. In this case, the malware is making excessive requests to a DNS server, with domain and host names encoded in hexadecimal. This indicates the use of DNS tunneling for communication between the malware and the command server, which is a key characteristic of Dnscat2. Why the other answers are incorrect: A. Internet Relay Chat (IRC): IRC is an older form of command and control communication often used in botnets, but it doesn't involve DNS requests or encoding hostnames in hexadecimal. C. Custom channel: A custom C2 channel refers to a bespoke communication method, but the question specifies DNS-related traffic, which points specifically to DNS tunneling tools like Dnscat2. D. File Transfer Protocol (FTP): FTP is used for file transfers and is not commonly used for C2 communication, especially in the context of DNS traffic.

The answer is B. Dnscat2. Dnscat2 is a DNS tunneling protocol that can be used to establish a covert communication channel between a malware-infected device and a command and control server. Dnscat2 uses DNS queries to transmit data, which makes it difficult to detect and block.

netcat via DNS protocol