Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS Server server role installed.
Server1 is configured to use a DNS server from an Internet Service Provider (ISP) as a forwarder.
Corporate management requires that client computers only resolve names of contoso.com computers.
You need to configure Server1 to resolve names in the contoso.com zone only.
What should you do on Server1?
A.
From DNS Manager, modify the root hints of Server1.
B.
From Windows PowerShell, run the Remove-DnsServerForwarder cmdlet.
C.
From Windows PowerShell, run the Set-NetDnsTransitionConfiguration cmdlet.
D.
From DNS Manager, modify the Advanced properties of Server1.
Explanation:
If the DNS server does not know the address of the requested site, then it will forward the request to another DNS server. In order to do so, the DNS server must
know of the IP address of another DNS server that it can forward the request to. This is the job of root hints. Root hints provides a list of IP addresses of DNS
servers that are considered to be authoritative at the root level of the DNS hierarchy(also known as root name server).
http://technet.microsoft.com/en-us/library/ee649221(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/jj649867.aspx
http://technet.microsoft.com/en-us/library/jj613703.aspx
This is definitely D. Disable recursion (Also disables forwarders) on Advanced tab.
A or B would only provide part of the solution.
3
0
Agreed – having forwarders configured without root hints can still be the way to resolving queries
0
0
The question only states that a forwarder is configured, best practices be damned. It doesn’t state anything about having recursion enabled, or having root hints configured. That being said B would be the most appropriate option, without that forwarder, the server doesn’t have an address to go to outside of the network.
Also, when it comes to recursion, TechNet does say it is enabled by default, and that the server is more secure without it, but it also says:
Caution
Do not disable recursion on a DNS server if it is used by other DNS servers for server-level forwarding, or if DNS client computers use it for name resolution.
Which to me sounds a lot like: “Don’t disable recursion on DNS Servers being used as DNS Servers” I mean it is up for interpretation, but still the question states you have a DNS Forwarder set up and you aren’t supposed to, while mentioning nothing about other DNS servers or anything about Root Hints being configured, so TL;DR: I would go with B do exactly what they are asking you to do in the question nothing more nothing less.
0
0
If you have clients connecting to this DNS server and asking it for names that are not on your network, such as google.com, facebook.com, yahoo.com, whitehouse.gov, etc… since your DNS server is not authoritative for those domains you must use Recursion or else name resolution will fail for external domain names not hosted on your DNS server. Most work places do allow internet access, however, if you are in a very tightly-controlled network (in which case if you need extraordinary security you shouldn’t be connected to the internet anyway,) disabling recursion will prevent name resolution of names that your DNS server is not authoritative for. Also worth noting that if you disable recursion, then there’s no point in adding forwarders as they will not be used. (Root hints also will not be used if recursion is disabled.)
By default, the DNS server performs recursive queries on behalf of its DNS clients and DNS servers that have forwarded DNS client queries to it. Recursion is a name-resolution technique in which a DNS server queries other DNS servers on behalf of the requesting client to fully resolve the name and then sends an answer back to the client.
Attackers can use recursion to deny the DNS Server service. Therefore, if a DNS server in your network is not intended to receive recursive queries, recursion should be disabled on that server.
2
0
Answer: D
Disabling recursion, disables forwarders and prevents the root hints from being used. This covers both answers A & B.
1
0