CompTIA
CAS-001 · Question #187
CAS-001 Question #187: Real Exam Question with Answer & Explanation
The correct answer is C: Configuring and deploying TSIG. Transaction Signature (TSIG) authenticates DNS zone transfers and dynamic updates using shared secret keys, preventing unauthorized modification of DNS records such as those caused by DNS hijacking.
Question
The security administrator at a bank is receiving numerous reports that customers are unable to login to the bank website. Upon further investigation, the security administrator discovers that the name associated with the bank website points to an unauthorized IP address. Which of the following solutions will MOST likely mitigate this type of attack?
Options
- ASecurity awareness and user training
- BRecursive DNS from the root servers
- CConfiguring and deploying TSIG
- DFirewalls and IDS technologies
Explanation
Transaction Signature (TSIG) authenticates DNS zone transfers and dynamic updates using shared secret keys, preventing unauthorized modification of DNS records such as those caused by DNS hijacking.
Common mistakes.
- A. Security awareness training educates users but does not technically prevent or mitigate DNS record tampering at the infrastructure level.
- B. Recursive DNS from root servers changes how queries are resolved but does not authenticate zone updates or prevent an attacker from modifying DNS records on the authoritative server.
- D. Firewalls and IDS technologies can detect anomalous traffic but do not authenticate DNS update transactions or prevent unauthorized changes to DNS zone data.
Concept tested. TSIG authentication preventing unauthorized DNS record modification
Reference. https://www.ietf.org/rfc/rfc2845.txt
Community Discussion
No community discussion yet for this question.