A security analyst is reviewing the following DNS logs as part of security-monitoring activities: 

Which of the following MOST likely occurred? 

Answer options:

A. The attack used an algorithm to generate command and control information dynamically
B. The attack attempted to contact www.google.com to verify Internet connectivity
C. The attack used encryption to obfuscate the payload and bypass detection by an IDS
D. The attack caused an internal host to connect to a command and control server

D