EC-Council
312-50V10 · Question #110
312-50V10 Question #110: Real Exam Question with Answer & Explanation
The correct answer is C: Install DNS Anti-spoofing. DNS spoofing (cache poisoning) is best prevented by cryptographically validating DNS responses, which is what DNS Anti-spoofing via DNSSEC provides.
Question
Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advantage for them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from company B. How do you prevent DNS spoofing? (Select the Best Answer.)
Options
- AInstall DNS logger and track vulnerable packets
- BDisable DNS timeouts
- CInstall DNS Anti-spoofing
- DDisable DNS Zone Transfer
Explanation
DNS spoofing (cache poisoning) is best prevented by cryptographically validating DNS responses, which is what DNS Anti-spoofing via DNSSEC provides.
Common mistakes.
- A. A DNS logger passively monitors and records DNS traffic but does not actively block or invalidate spoofed responses, leaving the vulnerability open.
- B. Disabling DNS timeouts does not prevent spoofing and would break normal DNS resolution by causing queries to hang indefinitely without a response.
- D. Disabling DNS Zone Transfer restricts AXFR replication between servers but provides no protection against cache poisoning or forged DNS response packets.
Concept tested. DNS spoofing prevention using DNSSEC anti-spoofing
Reference. https://learn.microsoft.com/en-us/windows-server/networking/dns/dnssec-overview
Community Discussion
No community discussion yet for this question.