CompTIA Exam CS0-002 Topic 6 Question 73 Discussion

Actual exam question for CompTIA's CS0-002 exam

Question #: 73
Topic #: 6

A cybersecurity analyst inspects DNS logs on a regular basis to identify possible IOCs that are not triggered by known signatures. The analyst reviews the following log snippet:

Which of the following should the analyst do next based on the information reviewed?

AThe analyst should disable DNS recursion.

BThe analyst should block requests to no---thanks. invalid.

CThe analyst should disconnect host 192.168.1.67.

DThe analyst should sinkhole 102.100.20.20.

EThe analyst should disallow queries to the 8.8.8.8 resolver.
A) The analyst should disable DNS recursion is not correct.DNS recursion is a process where a DNS server queries other DNS servers on behalf of a client until it finds the authoritative answer for a domain name2. Disabling DNS recursion would prevent the DNS server from resolving any domain names that are not in its cache or zone files, which would affect the normal functionality of the network and the internet access of the clients.
C) The analyst should disconnect host 192.168.1.67 is not correct. Disconnecting host 192.168.1.67 would stop the communication with the malicious domain, but it would also disrupt the legitimate activities of the host and its user. Moreover, disconnecting the host would not remove the malware or root cause of the compromise, and it would not prevent the host from reconnecting to the malicious domain once it is online again.
D) The analyst should sinkhole 102.100.20.20 is not correct.Sinkholing is a technique that redirects malicious or unwanted traffic to a controlled destination, such as a fake or isolated server3. Sinkholing 102.100.20.20 would prevent the communication with the malicious domain, but it would also require access and control over the public resolver 8.8.8.8, which is not owned or managed by the analyst or the company.
E) The analyst should disallow queries to the 8.8.8.8 resolver is not correct. Disallowing queries to the 8.8.8.8 resolver would prevent the communication with the malicious domain, but it would also affect the resolution of other legitimate domain names that are not in the local DNS server's cache or zone files.
1:DNS Tunneling: how DNS can be (ab)used by malicious actors2:What Is DNS Recursion?3:What Is a Sinkhole Attack?

Show Suggested Answer

Suggested Answer: B

The correct answer is B. The analyst should block requests to no-thanks.invalid. The log snippet shows a DNS query from host 192.168.1.67 to the public resolver 8.8.8.8 for the domain name no-thanks.invalid, which is resolved to the IP address 102.100.20.20.This is a possible indicator of compromise (IOC), as no-thanks.invalid is a known malicious domain that is used by attackers to exfiltrate data or execute commands on compromised hosts1. The analyst should block requests to this domain to prevent further communication with the attacker's server and investigate the host 192.168.1.67 for signs of infection.

by Frederica at Jan 22, 2024, 09:59 PM

Limited Time Offer

25%

Off

Get Premium CS0-002 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Janet

13 days ago

You guys are really overthinking this. The simplest solution is to just disconnect the host at 192.168.1.67. That's the one that's clearly accessing the malicious domain, so cutting it off from the network should stop the threat, right? *laughs* I mean, what could possibly go wrong with that approach?

upvoted 0 times

...

Jolanda

14 days ago

Hmm, sinkholing sounds like a good idea, but it might be tricky to pull off, especially if the 8.8.8.8 resolver is not under the analyst's control. Maybe a better approach would be to disallow queries to that resolver altogether. That way, you can at least prevent further communication with the malicious domain, even if you can't completely sinkhole the traffic.

upvoted 0 times

...

Arleen

15 days ago

I'm not so sure about that. Blocking a single domain might not be enough to address the underlying issue. What if there are other malicious domains being used? I think the analyst should consider sinkholing the IP address 102.100.20.20 to get a better understanding of the threat and potentially identify other indicators of compromise.

upvoted 0 times

Junita

That's a good point. Sinkholing could provide more insights into the threat.

upvoted 0 times

...

Joanna

21 hours ago

Sinkholing the IP address 102.100.20.20 could help identify other indicators of compromise.

upvoted 0 times

...

Ming

16 days ago

This question is tricky, but I think the answer is B - block requests to 'no---thanks.invalid'. The DNS log shows a suspicious domain name that is likely used for malicious purposes, like command and control or data exfiltration. Blocking that domain is the safest option to mitigate the potential threat without disrupting the entire network.

upvoted 0 times

...