312-50V11 · Question #608
A company has publicly hosted web applications and an internal Intranet protected by a firewall. Which technique will help protect against enumeration?
The correct answer is C. Remove A records for internal hosts.. Removing DNS A records for internal hosts from public-facing DNS servers prevents external attackers from enumerating the internal network topology through DNS lookups.
Question
A company has publicly hosted web applications and an internal Intranet protected by a firewall. Which technique will help protect against enumeration?
Options
- AReject all invalid email received via SMTP.
- BAllow full DNS zone transfers.
- CRemove A records for internal hosts.
- DEnable null session pipes.
How the community answered
(45 responses)- A11% (5)
- B2% (1)
- C82% (37)
- D4% (2)
Why each option
Removing DNS A records for internal hosts from public-facing DNS servers prevents external attackers from enumerating the internal network topology through DNS lookups.
Rejecting invalid SMTP email is a mail hygiene measure that reduces spam and spoofing risk, but has no effect on DNS-based or network enumeration of internal hosts.
Allowing full DNS zone transfers exposes the complete set of DNS records to any requesting party, which dramatically increases enumeration risk rather than mitigating it.
DNS enumeration allows attackers to discover internal hostnames and IP addresses by querying A records, which can reveal the intranet structure and identify potential targets for further attacks. By removing A records for internal hosts from any publicly accessible DNS zone, the organization ensures that external queries return no usable mapping of the internal network. This is a foundational DNS hardening practice that directly limits reconnaissance against protected intranet resources.
Enabling null session pipes permits unauthenticated NetBIOS connections that can be used to enumerate Windows shares, users, and group memberships, which increases enumeration exposure rather than reducing it.
Concept tested: DNS A record removal to prevent internal host enumeration
Source: https://csrc.nist.gov/publications/detail/sp/800-81/2/final
Topics
Community Discussion
No community discussion yet for this question.