101 · Question #463
Select the question you would ask your customer related to DNS attacks. Based on the material, choose the most appropriate question.
The correct answer is A. How do you secure you DNS infrastructure against attacks?. When assessing a customer's DNS security posture, the most effective discovery question is open-ended and covers the full scope of their security strategy rather than a single tactical control.
Question
Select the question you would ask your customer related to DNS attacks. Based on the material, choose the most appropriate question.
Options
- AHow do you secure you DNS infrastructure against attacks?
- BDo you rely on your network firewall to protect you DNS server?
- CDo you over-provision your DNS infrastructure?
- DDo you regularly update BIND or some other DNS application to the latest release?
How the community answered
(38 responses)- A87% (33)
- B3% (1)
- C5% (2)
- D5% (2)
Why each option
When assessing a customer's DNS security posture, the most effective discovery question is open-ended and covers the full scope of their security strategy rather than a single tactical control.
Asking how the customer secures their DNS infrastructure is the broadest and most impactful discovery question because it invites the customer to describe their complete DNS security approach, including policies, tools, monitoring, and configurations, revealing gaps across all threat vectors rather than one narrow area.
Asking only about firewall protection is too narrow because network firewalls do not address DNS-specific attack vectors such as cache poisoning, DNS amplification, or zone transfer exploitation.
Over-provisioning is a capacity strategy that may reduce impact from volumetric attacks but is not a security control and does not address non-volumetric DNS threats like spoofing or hijacking.
Keeping DNS software patched is a single tactical hygiene measure and does not reveal the breadth of the customer's overall DNS security posture or strategy.
Concept tested: DNS security posture discovery questioning
Source: https://www.cisa.gov/news-events/alerts/2019/01/24/dns-infrastructure-tampering
Topics
Community Discussion
No community discussion yet for this question.