Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/HPE6-A84_Dumps/page_31_img_1.jpg? Which security issue is possibly indicated by this traffic capture?

A command and control channel established with DNS tunneling

Question 7 - HP HPE6-A84 Real Exam Questions [Jan 2026 Update]

Q: 7

Refer to the exhibit.

? Which security issue is possibly indicated by this traffic capture?

Options

Correct Answer:

Explanation

The exhibit shows a series of DNS queries from a client (10.1.7.101) for extremely long, non-standard subdomains of a single domain (evil.com). This pattern is a classic indicator of DNS tunneling. In this technique, data is encoded into the subdomain portion of a DNS query. This creates a covert channel, often used by malware to communicate with a Command and Control (C2) server for receiving instructions or exfiltrating data. The client is likely compromised and is using the DNS protocol to bypass firewall restrictions and establish this C2 channel.

Why Incorrect

A: The traffic pattern does not resemble a Denial-of-Service (DoS) attack, which typically involves a high volume of traffic, not a few structured queries.

B: A port scan involves probing many different ports on a host or subnet; this capture only shows traffic on the DNS port (53).

D: This capture contains DNS packets, not ARP packets. ARP poisoning involves manipulating MAC-to-IP address mappings using ARP messages, which are not present here.

References

1. Aruba Threat Labs. (2020

May 20). Detecting DNS Tunneling with Aruba IntroSpect. Aruba Blogs. This official vendor blog post provides examples of DNS tunneling traffic used for C2

which are visually identical to the traffic in the exhibit

and explains how Aruba security solutions detect this threat.

2. National Institute of Standards and Technology (NIST). (2013). Special Publication 800-81-2: Secure Domain Name System (DNS) Deployment Guide. Section 3.4.2

"DNS Tunneling". This section states

"An attacker can use DNS tunneling to...establish a command and control channel with a compromised host... The data to be tunneled is encoded within the labels of a DNS query for a domain name controlled by the attacker."

3. Dusi

Gringoli

& Salgarelli

L. (2015). A preliminary look at DNS-based covert channels. 2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). https://doi.org/10.1109/INFCOMW.2015.7179398. This academic paper analyzes DNS covert channels

noting that encoding information in query names is a common method for C2 and data exfiltration

matching the exhibit's scenario.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE