You notice a single host making thousands of unusual, long TXT-record DNS queries to one domain. What's the most likely explanation and action?
Short answer
High-volume, high-entropy TXT or long-subdomain queries to a single domain is a classic DNS tunneling / C2-and-exfil signature: data is being smuggled inside DNS to evade egress filtering. Capture a query sample for analysis, sinkhole or block the domain to cut the channel, and pivot to the host to find the responsible process. Dismissing it as normal caching or a slow website misses live exfiltration. Restarting the DNS server does nothing about the compromised endpoint and just disrupts name resolution.
DNS is allowed out of almost every network, which is exactly why attackers abuse it as a covert channel. Thousands of long, oddly-encoded TXT queries from one host to one domain is a textbook DNS tunneling signature — and this question tests whether you recognize it and respond, rather than rationalizing it away.
Why tunneling is the likely explanation
Benign DNS is short, cached, and varied across many domains. The pattern here is the opposite: high volume, high entropy (random-looking subdomains carrying encoded data), long labels, often TXT records, all aimed at a single domain the attacker controls. That's data being chunked into DNS queries to exfiltrate information or carry C2 traffic past egress filtering that would block a normal outbound connection.
The correct response is threefold: capture a sample of the queries (for analysis and IOC extraction), sinkhole or block the malicious domain at your resolver/firewall to cut the channel, and pivot to the host to identify the process generating the traffic and begin scoping the compromise.
Why the other options fail
- Normal caching; ignore it — caching reduces queries; it doesn't produce thousands of unique long TXT lookups to one domain. Dismissing this waves through live exfiltration.
- DNS server misconfigured; restart it — the anomaly is the endpoint, not the resolver. Restarting DNS disrupts everyone's name resolution and leaves the compromised host happily tunneling once service returns.
- Just a slow website — slow sites cause latency, not a flood of high-entropy TXT queries to a single domain. This rationalization is exactly the blind spot attackers count on.
What the interviewer is probing
They want a candidate who recognizes the protocol-abuse pattern, understands why DNS is a favored exfil channel, and responds with capture, contain (sinkhole/block), and investigate the host — in that order. Naming the query characteristics (length, entropy, record type, single domain) shows you can tell covert exfiltration from ordinary DNS noise.
Likely follow-ups
- What query features (length, entropy, record type, frequency) distinguish tunneling from benign DNS?
- Why is DNS a favored covert channel, and how does it slip past typical egress controls?
- Once you find the process on the host, how do you scope whether data already left and what was taken?