Which of the following firewall rules only denies DNS zone transfers?

A.
deny udp any any port 53

B.
deny ip any any

C.
deny tcp any any port 53

D.
deny all dns packets

Explanation:
DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers.
Incorrect Answers:
A: UDP port 53 is used for most typical DNS queries.
B: An access-list has a deny ip any any implicitly at the end of any access-list. If traffic is related to a DHCP
request and if it is not explicitly permitted, the traffic is dropped.
D: The question requires DNS zone transfers to be blocked only, not all DNS.

Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 44
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html