nerdexam
GIAC

GCIH · Question #258

Which of the following is designed to protect the Internet resolvers (clients) from forged DNS data created by DNS cache poisoning?

The correct answer is D. Domain Name System Extension (DNSSEC). DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify the authenticity of DNS responses and reject forged data introduced by cache poisoning attacks.

Incident Response & Cyber Kill Chain

Question

Which of the following is designed to protect the Internet resolvers (clients) from forged DNS data created by DNS cache poisoning?

Options

  • AStub resolver
  • BBINDER
  • CSplit-horizon DNS
  • DDomain Name System Extension (DNSSEC)

How the community answered

(42 responses)
  • A
    2% (1)
  • C
    5% (2)
  • D
    93% (39)

Why each option

DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify the authenticity of DNS responses and reject forged data introduced by cache poisoning attacks.

AStub resolver

A stub resolver is a lightweight DNS client that simply forwards queries to a full recursive resolver - it has no mechanism to validate the authenticity of DNS data.

BBINDER

BINDER is not a recognized DNS security technology; BIND is a widely-used DNS server implementation but provides no inherent protection against cache poisoning on its own.

CSplit-horizon DNS

Split-horizon DNS returns different DNS answers based on the query source (internal vs. external), which is a segmentation technique and does not authenticate or verify the integrity of DNS responses.

DDomain Name System Extension (DNSSEC)Correct

DNSSEC (Domain Name System Security Extensions) uses public-key cryptography to digitally sign DNS resource records, enabling resolving clients to verify that responses originate from an authoritative source and have not been tampered with. This directly addresses DNS cache poisoning, where an attacker injects fraudulent DNS records into a resolver's cache. Without DNSSEC, a resolver has no way to distinguish a legitimate response from a forged one.

Concept tested: DNSSEC protection against DNS cache poisoning

Source: https://learn.microsoft.com/en-us/windows-server/networking/dns/dnssec-overview

Topics

#DNSSEC#DNS cache poisoning#DNS security#forged DNS data

Community Discussion

No community discussion yet for this question.

Full GCIH Practice