When performing threat hunting against a DNS server, which traffic toward the affected domain is considered a starting point?
A. HTTPS traffic
B. TCP traffic
C. HTTP traffic
D. UDP traffic
When performing threat hunting against a DNS server, which traffic toward the affected domain is considered a starting point?
The starting point is identify a DNS server to attack, how? look for UDP traffic to port 53, beside it say traffic to affected Domain which would be regular dns queries not zone trafer or any other DNS fucntion that would use TCP. So its D, UDP.
yes UDP is correct..but in case where more queries and longer bigger queries are to be made..TCP Traffic will need to be checked…for example in cases there are TCP Sync Flood attacks,…there will definately utilize this protocol
DNS uses mainly UDP. so when you find TCP being used,then that’s a sign that there is an issue.Hence a starting point….answer is B
I think D is correct too because DNS uses UDP traffic mainly.
DNS uses UDP natively until the response exceeds 512 bytes and then it switches to TCP, but generally if you run a packet capture looking for DNS queries they will be UDP Port 53.
DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests. DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. The Transmission Control Protocol (TCP) is used when the response data size exceeds 512 bytes, or for tasks such as zone transfers. Some resolver implementations use TCP for all queries.
Reference: https://en.wikipedia.org/wiki/Domain_Name_System#Protocol_transport
IF DNS uses UPD natively. Then The Answer is D because the questions asks ” which traffic toward the affected domain is considered a starting point?”. Note it says ‘starting point’
The answer is B. TCP traffic
DNS is UDP
why ???????
DNS Traffic is actually corret
IgenozaNic, could you explain why you say TCP Traffic
Dio, you are right UDP is the answer. A good general link is https://www.diffen.com/difference/TCP_vs_UDP
Threat hunting against a DNS server will begin with UDP traffic analysis, not HTTP or HTTPS necessarily. We are searching out that fragmented, connectionless, lighter-weight malicious traffic. It could be mixed with TCP but our start is the User Datagram frames and packets.
Very vague Q, but one key word and only one differentiates TCP versus UDP, *starting point*. Your initial thought process with any traffic monitoring of DNS is UDP, unless special circumstances or utility/protocol limitation, you look to TCP second which has more overhead generally speaking. This is a best possible answer deal and that is D