312-50V10 · Question #110
Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advan
The correct answer is C. Install DNS Anti-spoofing. DNS spoofing (cache poisoning) is best prevented by cryptographically validating DNS responses, which is what DNS Anti-spoofing via DNSSEC provides.
Question
Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advantage for them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from company B. How do you prevent DNS spoofing? (Select the Best Answer.)
Options
- AInstall DNS logger and track vulnerable packets
- BDisable DNS timeouts
- CInstall DNS Anti-spoofing
- DDisable DNS Zone Transfer
How the community answered
(33 responses)- B3% (1)
- C91% (30)
- D6% (2)
Why each option
DNS spoofing (cache poisoning) is best prevented by cryptographically validating DNS responses, which is what DNS Anti-spoofing via DNSSEC provides.
A DNS logger passively monitors and records DNS traffic but does not actively block or invalidate spoofed responses, leaving the vulnerability open.
Disabling DNS timeouts does not prevent spoofing and would break normal DNS resolution by causing queries to hang indefinitely without a response.
DNS Anti-spoofing refers to implementing DNSSEC (DNS Security Extensions), which uses public-key cryptography and digital signatures to validate the authenticity and integrity of DNS responses. This directly prevents forged or poisoned records from being accepted by a resolver, addressing the attack where Company C exploits Company B's vulnerable DNS server to intercept traffic.
Disabling DNS Zone Transfer restricts AXFR replication between servers but provides no protection against cache poisoning or forged DNS response packets.
Concept tested: DNS spoofing prevention using DNSSEC anti-spoofing
Source: https://learn.microsoft.com/en-us/windows-server/networking/dns/dnssec-overview
Topics
Community Discussion
No community discussion yet for this question.