A network administrator wants to block both DNS requests and zone transfers coming from
outside IP addresses. The company uses a firewall which implements an implicit allow and is
currently configured with the following ACL applied to its external interface.
PERMIT TCP ANY ANY 80
PERMIT TCP ANY ANY 443
Which of the following rules would accomplish this task? (Select TWO).
A.
Change the firewall default settings so that it implements an implicit deny
B.
Apply the current ACL to all interfaces of the firewall
C.
Remove the current ACL
D.
Add the following ACL at the top of the current ACL
DENY TCP ANY ANY 53
E.
Add the following ACL at the bottom of the current ACL
DENY ICMP ANY ANY 53
F.
Add the following ACL at the bottom of the current ACL
DENY IP ANY ANY 53
Explanation:
Implicit deny is the default security stance that says if you aren’t specifically granted access or
privileges for a resource, you’re denied access by default. Implicit deny is the default response
when an explicit allow or deny isn’t present.
DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. These are zone
file exchanges between DNS servers, special manual queries, or used when a response exceeds
512 bytes. UDP port 53 is used for most typical DNS queries.
Option F by itself solves the problem but if Option D is added it would only deny DNS Zone transfers. Selecting Option A could have disastrous effects without additional rules being added to allow required network traffic.
0
0
Even though it says “SELECT TWO” I think each answer is a single option. Not combined. For option A, I think they are making the assumption that you would create a PERMIT IP ANY ANY to avoid the disaster that would surely happen like you said. Typical poorly worded question and answers.
0
0