A network administrator wants to block both DNS requests and zone transfers coming from
outside IP addresses. The company uses a firewall which implements an implicit allow and is
currently configured with the following ACL applied to its external interfacE.
PERMIT TCP ANY ANY 80
PERMIT TCP ANY ANY 443
Which of the following rules would accomplish this task? (Select TWO).
A.
Change the firewall default settings so that it implements an implicit deny
B.
Apply the current ACL to all interfaces of the firewall
C.
Remove the current ACL
D.
Add the following ACL at the top of the current ACL
DENY TCP ANY ANY 53
E.
Add the following ACL at the bottom of the current ACL
DENY ICMP ANY ANY 53
F.
Add the following ACL at the bottom of the current ACL
DENY IP ANY ANY 53
E.
Add the following ACL at the bottom of the current ACL
DENY ICMP ANY ANY 53
F.
Add the following ACL at the bottom of the current ACL
DENY IP ANY ANY 53
SAME ANSWERS?
0
0
Question 106 has duplicated responses for E & F
0
0
take another look, one is ICMP and the other is IP
0
0
The question should state that you only need to do ONE of these actions, and there are two actions that will solve the problem.
0
0
Thats right. Only the implicit deny will block all incoming traffic except the explicit allows (HTTP, HTTPS). So that is a solution on its own.
Answer F will also work as a single solution.
0
0
I believe that A is the only correct answer. When you specify “deny ip” you’re not allowed to specify a port, only source and destination IP addresses… at least on Cisco gear. So that should rule out F. And DNS uses both UDP and TCP so D is technically only partially correct. Also “deny icmp” would not apply to DNS thus ruling out E.
0
0
You people have to read the ENTIRE question. The very last sentence says this: Which of the following rules would accomplish this task? (Select TWO).
A and F will both accomplish the task of denying DNS access to Port 53. A will deny EVERYTHING except HTTP and HTTPS traffic, while F would continue to allow everything except DNS traffic, which is TCP53 (requests) and UDP53 (zone transfers).
0
0
Oops…I meant TCP53 (zone transfers) and UDP53 (requests)
0
0