PrepAway - Latest Free Exam Questions & Answers

What is the best action for his to take?

Ulf wants to ensure that a hacker cannot access his DNS zone files. What is the best action for his to take?

PrepAway - Latest Free Exam Questions & Answers

A.
Filter TCP port 23

B.
Configure the firewall to block zone transfers and accept zone transfer requests only from specific hosts

C.
Configure all routers to block zone transfers and encrypt zone transfer messages

D.
Disable Nslookup

Explanation:
Basing on the assumption that the hacker is outside the network, and is not someone who has physical access to the internal LAN, this is the best choice. It takes multiple actions to plug it. A DNS server outside the network (on the outside of the firewall) will refer DNS requests to the internal server. This does not require secondary servers on the outside, so zone transfers don’t need to be transferred in either direction. By blocking TCP port 53 on the firewall, we prevent zone transfers. However, since all other DNS requests are UDP port 53, they pass. The next step of protection is to make sure that no one tries to poison the DNS database by transferring a bogus or corrupt zone intentionally. By only accepting zones transfers from known and authorized servers, no one can slip in a bad zone.
Incorrect Answers:
A: TCP port 23 is used for Telnet, and will have no effect on DNS operations.
C: If we blocked the zone transfers at all routers, then ALL the DNS servers, including all secondaries, would have to be on the same segment, which prevents load balancing and prevents protection from failure of the LAN segment. You can have encryption from router to router, using IPSec, but if you encrypt the zone at one router and pass the encrypted file to DNS directly, DNS can’t use the file.
D: NSLOOKUP would have seen the obvious answer. NSLOOKUP is an exposure, since a hacker could transfer zone into the utility. However, NSLOOKUP does not use its own ports, it uses the normal DNS ports (UDP/TCP 53). So you can’t filter traffic generated from NSLOOKUP vs. a regular DNS call, you can’t tell the difference. Also, NLOOKUP 1D0-470
is on the hacker’s machine – which is outside your control. You can’t get access to the command to disable it – because it is on someone else’s network and machine.


Leave a Reply