Your network contains an Active Directory forest.
The forest contains two domainsnamed contoso.comand east.contoso.com.
The contoso.comdomain contains a domain controllernamed DC1.
The east.contoso.comdomain contains a domain controllernamed DC2.
DC1 and DC2 have the DNS Server server role installed.
You need to create a DNS zone that is available on DC1 and DC2.
The solution must ensure that zone transfers are encrypted.
What should you do?
A.
Create a primary zone on DC1 and store the zone in a zone file. On DC1 and DC2, configure inbound rules
and outbound rules by using Windows Firewall with Advanced Security. Create a secondary zone on DC2
and select DC1 as the master.
B.
Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones, DC=Contoso, DC=com
naming context.
C.
Create a primary zone on DC2 and store the zone in a DC= DC=East, DC=Contoso, DC=com naming
context. Create a secondary zone on DC1 and select DC2 as the master.
D.
Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone. Create a
secondary zone on DC2 and select DC1 as the master.
Explanation:
This one looks a bit like question A/Q15, in which we had two domain controllers, one having a primaryzone,
and the second with the secondary zone. We needed to ensure that the replication of the zone was encrypted.
The solution was to use an Active Directory-integrated zone, and it makes sense to apply that here too.
IPsec could be a valid option too, but is not listed.
DNSSEC is used to sign DNS responses between servers and clients, not to encrypt zone transfers.
Reference 1:
http://technet.microsoft.com/en-us/library/cc781101.aspx
Securing DNS Zone Replication
Using Active Directory Replication
Replicating zones as part of Active Directory replication provides the following security benefits:
Active Directory replication traffic is encrypted; therefore zone replication traffic is encrypted
automatically.
(…)
Reference 2:
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that createdby
DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS
resolver is able to check if the information is identical (correct and complete) to the information onthe
authoritative DNS server.
DNSSEC does notprovide confidentiality of data; in particular, all DNSSEC responses are
authenticated but not encrypted.
Reference 3:
http://www.efficientip.com/dnssec
It is important to note that DNSSEC does not supplya solution for data confidentialitybut only a
validation of DNS data authenticity and integrity. All information exchanged is not encrypted; it is only the
signature which is encrypted.
Reference 4:
http://technet.microsoft.com/en-us/library/ee649277.aspx
Zone transfers
Zone transfers of a DNSSEC-signed zone function in the same way they do for an unsigned zone. All of the
resource records, including DNSSEC resource records, are transferred from the primary server to the
secondary servers with no additional setup requirements.
Reference 5:
http://technet.microsoft.com/en-us/library/jj200221.aspx
Overview of DNSSEC
Domain Name System Security Extensions (DNSSEC) is a suite of extensions that adds security to the DNS
protocol by providing the ability for DNS servers to validate DNS responses.With DNSSEC, resource records
are accompanied by digital signatures. These digital signatures are generated when DNSSEC is applied to a
DNS zone using a process called zone signing. When a resolver issues a DNS query for resource record in a
signed zone, a digital signature is returned with the response so that validation can be performed. Ifvalidation is
successful, this proves that the data has not been modified or tampered with in any way.