Scenario 1: An internal host communicates with an external IP over DNS, displaying consistent communication patterns and unusual payload sizes. Further investigation reveals the presence of malware using DNS tunneling to exfiltrate data.
Scenario 2: A security audit detects long-duration DNS sessions from an internal host to a suspicious domain. Analysis shows the sessions contain hidden command and control traffic, indicating the host is compromised and part of a botnet.