312-50V10 · Question #143
Some clients of TPNQM SA were redirected to a malicious site when they tried to access the TPNQM main site. Bob, a system administrator at TPNQM SA, found that they were victims of DNS Cache Poisoning
The correct answer is B. The use of DNSSEC. DNS Cache Poisoning forges DNS responses to redirect users to malicious sites, and DNSSEC mitigates this by cryptographically signing DNS records to ensure their authenticity.
Question
Some clients of TPNQM SA were redirected to a malicious site when they tried to access the TPNQM main site. Bob, a system administrator at TPNQM SA, found that they were victims of DNS Cache Poisoning. What should Bob recommend to deal with such a threat?
Options
- AThe use of security agents in clients' computers
- BThe use of DNSSEC
- CThe use of double-factor authentication
- DClient awareness
How the community answered
(27 responses)- B89% (24)
- C4% (1)
- D7% (2)
Why each option
DNS Cache Poisoning forges DNS responses to redirect users to malicious sites, and DNSSEC mitigates this by cryptographically signing DNS records to ensure their authenticity.
Security agents on client computers operate above the DNS layer and cannot detect or prevent a poisoned DNS response being returned by the resolver before the connection is established.
DNSSEC (Domain Name System Security Extensions) adds digital signatures to DNS records, allowing resolvers to verify that responses are authentic and have not been tampered with. This directly addresses cache poisoning because a forged DNS response will fail signature validation and be rejected by DNSSEC-aware resolvers.
Double-factor authentication secures user login credentials but has no effect on the DNS resolution process that redirects users before authentication even occurs.
Client awareness can reduce risk from phishing but cannot technically prevent a DNS resolver from caching and serving a poisoned record to clients.
Concept tested: DNSSEC as mitigation for DNS cache poisoning
Source: https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
Topics
Community Discussion
No community discussion yet for this question.