101 · Question #451
Select the key question you would use to ask your customer related to DNS attacks?
The correct answer is D. How do you secure your DNS infrastructure against attacks?. The most effective DNS security discovery question is broad and open-ended, prompting the customer to reveal their full security posture rather than confirming a single control.
Question
Select the key question you would use to ask your customer related to DNS attacks?
Options
- ADo you over-provision your DNS infrastructure?
- BDo you regularly update BIND or some other DNS application to the latest release?
- CDo you rely on your network firewall to protect your DNS server?
- DHow do you secure your DNS infrastructure against attacks?
How the community answered
(18 responses)- B6% (1)
- D94% (17)
Why each option
The most effective DNS security discovery question is broad and open-ended, prompting the customer to reveal their full security posture rather than confirming a single control.
Asking about over-provisioning addresses capacity and availability planning, not security hardening or attack mitigation strategy.
Asking only about BIND patching is too narrow - it confirms one specific operational practice without surfacing the broader DNS security posture.
Asking whether the customer relies solely on a network firewall implies a specific single-control strategy rather than opening a dialogue about comprehensive DNS defense.
Asking 'How do you secure your DNS infrastructure against attacks?' opens a comprehensive consultative dialogue about the customer's entire DNS security strategy. It invites the customer to reveal gaps across patching, architecture, monitoring, and access controls simultaneously. This broad framing is the foundation of a security discovery conversation and uncovers opportunities a narrow question would miss.
Concept tested: Consultative DNS security discovery questioning
Source: https://www.cisa.gov/news-events/alerts/2019/01/16/dns-infrastructure-tampering
Topics
Community Discussion
No community discussion yet for this question.