Free Isaca CCOA Actual Exam Questions - Question 5 Discussion
data Using the Domain Name System (DNS) queries. Which of the following is the BEST mitigation
strategy to prevent data exfiltration using this technique?
mitigation strategy to prevent data exfiltration using this technique?
D imo, a DNS sinkhole lets you catch and control suspicious traffic without cutting off normal DNS, so it stops exfiltration while keeping the network working fine. Blocking all outbound DNS (C) is too harsh.
D. Using a DNS sinkhole is a smart way to catch and control malicious DNS queries without cutting off all DNS traffic. Blocking all outbound DNS (C) seems effective but would break normal network functions since systems rely on DNS to work properly. Sinkholing lets you redirect suspicious queries to a controlled environment, so you’re not completely shutting down DNS but still stopping exfiltration attempts. It’s more practical in a real-world setup where you can't just block everything.
Good point about D being less disruptive, but I'd still pick C here since completely blocking outbound DNS traffic stops any chance of exfiltration through DNS queries. No DNS means no data leak. C
Actually, D seems better here since a sinkhole can catch and redirect suspicious DNS traffic without shutting down all DNS, which would mess up normal operations. Blocking everything outbound (C) is too disruptive.
C/D? Blocking outbound DNS stops leaks but kills legit traffic; sinkhole’s less disruptive.
Probably C here since blocking all outbound DNS traffic stops exfil right at the source, even though it might disrupt some legit traffic. It’s a bit harsh but the most direct way to prevent DNS-based data leaks.
It’s B because host-based IDS can flag unusual DNS requests right at the source, which helps catch exfiltration even if the traffic is encrypted or using non-standard ports. More proactive than just relying on DNS sinkholes.
Maybe B makes sense too since a host-based IDS can detect weird DNS patterns right on the compromised systems before data even leaves, adding an extra layer of spotting suspicious activity.
B tbh, a host-based IDS could spot unusual DNS query patterns right on the endpoints before data even leaves. It’s more targeted than blocking all DNS (C), which would definitely cause issues, and it works even if the DNS traffic is encrypted—because it looks at behavior, not just network flows. SSL on DNS servers (A) doesn’t stop attackers from using DNS for exfil, just protects DNS traffic in transit. Sinkholes (D) help but might miss encrypted DNS like DoH, so adding host-level detection adds a solid extra layer.
Blocking all outbound DNS traffic (C) seems too extreme and could break normal operations. I think setting up a DNS sinkhole (D) to catch suspicious DNS queries is the best way to stop data exfil without disrupting legit traffic.