312-50V11 · Question #655
As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security? Select the best answers.
The correct answer is B. Harden DNS servers C. Use split-horizon operation for DNS servers D. Restrict Zone transfers E. Have subnet diversity between DNS servers. Effective DNS security requires hardening servers, using split-horizon DNS, restricting zone transfers, and maintaining subnet diversity - while avoiding shared-use DNS servers.
Question
As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security? Select the best answers.
Options
- AUse the same machines for DNS and other applications
- BHarden DNS servers
- CUse split-horizon operation for DNS servers
- DRestrict Zone transfers
- EHave subnet diversity between DNS servers
How the community answered
(20 responses)- A25% (5)
- B75% (15)
Why each option
Effective DNS security requires hardening servers, using split-horizon DNS, restricting zone transfers, and maintaining subnet diversity - while avoiding shared-use DNS servers.
Running DNS on shared multi-purpose servers increases the attack surface and violates the principle of least privilege - DNS servers should be dedicated.
Hardening DNS servers reduces attack surface by disabling unnecessary services, applying patches, and enforcing least privilege.
Split-horizon (split-brain) DNS presents different zone data to internal vs. external clients, preventing internal topology disclosure.
Restricting zone transfers to authorized secondary servers prevents attackers from enumerating all DNS records in a zone.
Placing DNS servers on different subnets ensures that a single network failure or attack does not take down all DNS resolution.
Concept tested: DNS server hardening and secure architecture best practices
Source: https://www.cisa.gov/news-events/alerts/2019/01/16/dns-infrastructure-hijacking-campaign
Topics
Community Discussion
No community discussion yet for this question.