Which of the following firewall rules only denies DNS zone transfers?
A. deny udp any any port 53
B. deny ip any any
C. deny tcp any any port 53
D. deny all dns packets
One Comment on “Which of the following firewall rules only denies DNS zone transfers?”
Tonysays:
Whilst this is the answer the exam wants, TCP 53 is also used for lookups above a certain size, which can be an issue when using DNSSec. The other consideration, is that zone transfers are more typically restricted to known hosts, and can be configured to use ports other than 53.
So, denying TCP 53 will not necessarily prevent zone transfers, and will not necessarily only prevent zone transfers.
Whilst this is the answer the exam wants, TCP 53 is also used for lookups above a certain size, which can be an issue when using DNSSec. The other consideration, is that zone transfers are more typically restricted to known hosts, and can be configured to use ports other than 53.
So, denying TCP 53 will not necessarily prevent zone transfers, and will not necessarily only prevent zone transfers.
0
0