Code Room
On-callHardoc-g145
Subject Data exfiltrationLevel Senior–Staff~45 minCommon in Networking & APIs interviewsIndustries Technology, Software development

Question

Your network-monitoring dashboard shows one internal app server generating an unusually high volume of DNS queries — 8,000/min, up from ~50/min baseline — almost all TXT and long-label A-record lookups to subdomains of a single odd-looking domain (e.g., a1b2c3d4.exfil-cdn[.]xyz). Outbound HTTP/HTTPS egress from that host looks normal and low. The host runs a payments microservice. A dependency was updated in last week's deploy. Conventional DLP (which watches HTTP) saw nothing. How do you triage, contain, and remediate this suspected covert channel?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.