A network experiences unusual DNS queries to multiple unknown domains with random subdomains. What type of attack is occurring?

Correct answer: DNS exfiltration

Option C is correct because DNS exfiltration (also called DNS tunneling for data theft) uses high volumes of queries to many unique subdomains of attacker-controlled domains to encode and smuggle data out of a network covertly, which matches the described pattern of random subdomains across unknown domains. Option A is incorrect because DNS amplification is a volumetric DDoS technique where small queries generate large responses, targeting an external victim rather than producing many random subdomain lookups internally. Option B describes DNS tunneling in the general sense, which is related, but DNS tunnel typically refers to the bidirectional channel used for command-and-control or bypassing controls, while the described pattern most specifically indicates outbound data exfiltration. Option D is incorrect because DNS spoofing involves poisoning DNS caches to redirect legitimate queries to malicious IP addresses, not generating random subdomain queries.