nerdexam
EC-Council

312-50V10 · Question #110

Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advan

The correct answer is C. Install DNS Anti-spoofing. DNS spoofing (cache poisoning) is best prevented by cryptographically validating DNS responses, which is what DNS Anti-spoofing via DNSSEC provides.

Footprinting and Reconnaissance

Question

Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advantage for them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from company B. How do you prevent DNS spoofing? (Select the Best Answer.)

Options

  • AInstall DNS logger and track vulnerable packets
  • BDisable DNS timeouts
  • CInstall DNS Anti-spoofing
  • DDisable DNS Zone Transfer

How the community answered

(33 responses)
  • B
    3% (1)
  • C
    91% (30)
  • D
    6% (2)

Why each option

DNS spoofing (cache poisoning) is best prevented by cryptographically validating DNS responses, which is what DNS Anti-spoofing via DNSSEC provides.

AInstall DNS logger and track vulnerable packets

A DNS logger passively monitors and records DNS traffic but does not actively block or invalidate spoofed responses, leaving the vulnerability open.

BDisable DNS timeouts

Disabling DNS timeouts does not prevent spoofing and would break normal DNS resolution by causing queries to hang indefinitely without a response.

CInstall DNS Anti-spoofingCorrect

DNS Anti-spoofing refers to implementing DNSSEC (DNS Security Extensions), which uses public-key cryptography and digital signatures to validate the authenticity and integrity of DNS responses. This directly prevents forged or poisoned records from being accepted by a resolver, addressing the attack where Company C exploits Company B's vulnerable DNS server to intercept traffic.

DDisable DNS Zone Transfer

Disabling DNS Zone Transfer restricts AXFR replication between servers but provides no protection against cache poisoning or forged DNS response packets.

Concept tested: DNS spoofing prevention using DNSSEC anti-spoofing

Source: https://learn.microsoft.com/en-us/windows-server/networking/dns/dnssec-overview

Topics

#DNS spoofing#anti-spoofing#DNS security#cache poisoning

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice