312-50V10 · Question #655
As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security? Select the best answers.
The correct answer is B. Harden DNS servers C. Use split-horizon operation for DNS servers D. Restrict Zone transfers E. Have subnet diversity between DNS servers. Effective DNS security requires hardening servers, using split-horizon DNS, restricting zone transfers, and maintaining subnet diversity - but sharing DNS with other application roles is a known anti-pattern.
Question
As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security? Select the best answers.
Options
- AUse the same machines for DNS and other applications
- BHarden DNS servers
- CUse split-horizon operation for DNS servers
- DRestrict Zone transfers
- EHave subnet diversity between DNS servers
How the community answered
(39 responses)- A18% (7)
- B82% (32)
Why each option
Effective DNS security requires hardening servers, using split-horizon DNS, restricting zone transfers, and maintaining subnet diversity - but sharing DNS with other application roles is a known anti-pattern.
Co-locating DNS with other applications violates least privilege and increases risk because a compromise of any co-hosted service can simultaneously expose and compromise the DNS server.
Hardening DNS servers by applying patches, disabling unnecessary services, and restricting recursive queries reduces the exploitable attack surface on a critical infrastructure component.
Split-horizon DNS returns different responses to internal and external clients, preventing internal network topology and host names from being exposed to outside parties.
Restricting zone transfers to explicitly authorized secondary servers prevents attackers from performing a full zone enumeration to map the internal network.
Placing DNS servers on separate, diverse subnets improves resilience against network-layer attacks and eliminates single points of failure for name resolution.
Concept tested: DNS server hardening and security architecture best practices
Source: https://csrc.nist.gov/publications/detail/sp/800-81/2/final
Topics
Community Discussion
No community discussion yet for this question.