nerdexam
EC-Council

312-50V10 · Question #655

As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security? Select the best answers.

The correct answer is B. Harden DNS servers C. Use split-horizon operation for DNS servers D. Restrict Zone transfers E. Have subnet diversity between DNS servers. Effective DNS security requires hardening servers, using split-horizon DNS, restricting zone transfers, and maintaining subnet diversity - but sharing DNS with other application roles is a known anti-pattern.

Footprinting and Reconnaissance

Question

As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security? Select the best answers.

Options

  • AUse the same machines for DNS and other applications
  • BHarden DNS servers
  • CUse split-horizon operation for DNS servers
  • DRestrict Zone transfers
  • EHave subnet diversity between DNS servers

How the community answered

(39 responses)
  • A
    18% (7)
  • B
    82% (32)

Why each option

Effective DNS security requires hardening servers, using split-horizon DNS, restricting zone transfers, and maintaining subnet diversity - but sharing DNS with other application roles is a known anti-pattern.

AUse the same machines for DNS and other applications

Co-locating DNS with other applications violates least privilege and increases risk because a compromise of any co-hosted service can simultaneously expose and compromise the DNS server.

BHarden DNS serversCorrect

Hardening DNS servers by applying patches, disabling unnecessary services, and restricting recursive queries reduces the exploitable attack surface on a critical infrastructure component.

CUse split-horizon operation for DNS serversCorrect

Split-horizon DNS returns different responses to internal and external clients, preventing internal network topology and host names from being exposed to outside parties.

DRestrict Zone transfersCorrect

Restricting zone transfers to explicitly authorized secondary servers prevents attackers from performing a full zone enumeration to map the internal network.

EHave subnet diversity between DNS serversCorrect

Placing DNS servers on separate, diverse subnets improves resilience against network-layer attacks and eliminates single points of failure for name resolution.

Concept tested: DNS server hardening and security architecture best practices

Source: https://csrc.nist.gov/publications/detail/sp/800-81/2/final

Topics

#DNS security#zone transfer restriction#split-horizon DNS#DNS hardening

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice