Exam 350-701 topic 1 question 16 discussion

I would go with B, based on the question . because we are asked how is DNS tunneling used, and the attacker encodes text information in base64 to then send it to the malicious DNS server which is mentioned at the end of the question (DNS server rebuilds the exfiltrated data) "C" does not explain how the information is encoded.

The answer is B.

Attackers can use outbound DNS requests to send encoded exfiltrated data to their infrastructure. The DNS tunneling client malware on the infected machine reads the data to be exfiltrated line by line, slices the data into small chunks and performs base64 encoding on each line. So, option B is the closest to describing how DNS tunneling is used to exfiltrate data out of a corporate network.

Maybe it is just me, but I can't see how "redirection" would fit in. "attackers use the DNS protocol to embed data within packets in DNS queries", and get the data shipped out to the attackers DNS server. (not redirecting, just directing it to the malicious server) The data needs to be split into smaller chunks (to be protocol conform), and is often encoded with base64. https://www.akamai.com/glossary/what-is-dns-data-exfiltration https://bluegoatcyber.com/blog/dns-exfiltration-with-base64-encoding-a-stealthy-data-theft-technique/ I vote for B.

B is correct

Well, for me it all depends if these answers are really worded like this. If so, then B cannot be correct, because DNS servers do not rebuild information (DNS server's role is to handle DNS queries and responses). Option C seems to be the most logical, since the data is encoded, then the encoded payload is inserted into DNS queries and manipulated DNS packets are sent to a malicious DNS server controlled by the attacker. I think I will go with answer C because of that.

The DNS server can not rebuild information.

This is C

B is false imo - "It encodes the payload with RANDOM characters..." - What is the point of exfiltrating random characters?

I think the correct answer is C. B - "It encodes the payload with RANDOM characters..." There is no sense to exfiltrate random data..

B. It encodes the payload with random characters that are broken into short strings and the DNS server rebuilds the exfiltrated data DNS Tunneling is a technique used to exfiltrate data out of a corporate network by encoding the payload with random characters that are broken into short strings and then sending these strings as DNS queries. These queries are sent to a domain controlled by the attacker, which then rebuilds the exfiltrated data. This technique takes advantage of the fact that many corporate networks allow outgoing DNS queries, while other types of traffic may be blocked. Option A, It leverages the DNS server by permitting recursive lookups to spread the attack to other DNS servers, is not exactly the way DNS Tunneling works, it's more about encoding data into DNS queries and exfiltrating it through this channel.

C should be the correct answer. for more inforwation watch this short vid https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling

Once the desired data is obtained, the payload encodes the data as a series of 32 characters broken into short strings... The problem with answer C, is that this not only to get credentials

Im leaning more toward C in this case. Is the point of the DNS attack not to redirect the victim to a server to then attempt to steal data?