CompTIA
CAS-002 · Question #629
CAS-002 Question #629: Real Exam Question with Answer & Explanation
The correct answer is C: Configuring and deploying TSIG. When a DNS name resolves to an unauthorized IP address, TSIG cryptographically authenticates DNS transactions to prevent unauthorized modification of zone records.
Question
The security administrator at a bank is receiving numerous reports that customers are unable to login to the bank website. Upon further investigation, the security administrator discovers that the name associated with the bank website points to an unauthorized IP address. Which of the following solutions will MOST likely mitigate this type of attack?
Options
- ASecurity awareness and user training
- BRecursive DNS from the root servers
- CConfiguring and deploying TSIG
- DFirewalls and IDS technologies
Explanation
When a DNS name resolves to an unauthorized IP address, TSIG cryptographically authenticates DNS transactions to prevent unauthorized modification of zone records.
Common mistakes.
- A. Security awareness training addresses human behavior but has no technical effect on DNS record tampering performed by an external attacker against the DNS server.
- B. Using recursive DNS from root servers improves name resolution accuracy but does not authenticate or protect the integrity of zone records against unauthorized modification.
- D. Firewalls and IDS can detect suspicious traffic patterns but cannot validate or enforce the integrity of DNS records stored on an authoritative DNS server.
Concept tested. TSIG authentication to prevent DNS cache poisoning
Reference. https://www.rfc-editor.org/rfc/rfc2845
Community Discussion
No community discussion yet for this question.