312-50V13 · Question #109
As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security?
The correct answer is B. Harden DNS servers C. Use split-horizon operation for DNS servers D. Restrict Zone transfers E. Have subnet diversity between DNS servers. Ensuring DNS security involves a multifaceted approach including hardening servers, using architectural segregation, restricting data exposure, and improving resilience.
Question
Options
- AUse the same machines for DNS and other applications
- BHarden DNS servers
- CUse split-horizon operation for DNS servers
- DRestrict Zone transfers
- EHave subnet diversity between DNS servers
How the community answered
(22 responses)- A18% (4)
- B82% (18)
Why each option
Ensuring DNS security involves a multifaceted approach including hardening servers, using architectural segregation, restricting data exposure, and improving resilience.
Using the same machines for DNS and other applications increases the attack surface and potential for compromise; it is a poor security practice.
Hardening DNS servers involves applying security updates, configuring least privilege, removing unnecessary services, and securing the operating system, significantly reducing the attack surface.
Using split-horizon DNS (also known as split-brain DNS) involves maintaining separate DNS views for internal and external networks, preventing internal network information from being exposed to the internet.
Restricting zone transfers prevents unauthorized parties from enumerating all hostnames and IP addresses within a domain, which could be used for targeted attacks.
Having subnet diversity between DNS servers, often achieved by deploying them in different network segments or availability zones, enhances resilience against network-based attacks and outages.
Concept tested: DNS security best practices
Source: https://learn.microsoft.com/en-us/windows-server/networking/dns/what-is-dns
Topics
Community Discussion
No community discussion yet for this question.