GCIH · Question #258
Which of the following is designed to protect the Internet resolvers (clients) from forged DNS data created by DNS cache poisoning?
The correct answer is D. Domain Name System Extension (DNSSEC). DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify the authenticity of DNS responses and reject forged data introduced by cache poisoning attacks.
Question
Which of the following is designed to protect the Internet resolvers (clients) from forged DNS data created by DNS cache poisoning?
Options
- AStub resolver
- BBINDER
- CSplit-horizon DNS
- DDomain Name System Extension (DNSSEC)
How the community answered
(42 responses)- A2% (1)
- C5% (2)
- D93% (39)
Why each option
DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify the authenticity of DNS responses and reject forged data introduced by cache poisoning attacks.
A stub resolver is a lightweight DNS client that simply forwards queries to a full recursive resolver - it has no mechanism to validate the authenticity of DNS data.
BINDER is not a recognized DNS security technology; BIND is a widely-used DNS server implementation but provides no inherent protection against cache poisoning on its own.
Split-horizon DNS returns different DNS answers based on the query source (internal vs. external), which is a segmentation technique and does not authenticate or verify the integrity of DNS responses.
DNSSEC (Domain Name System Security Extensions) uses public-key cryptography to digitally sign DNS resource records, enabling resolving clients to verify that responses originate from an authoritative source and have not been tampered with. This directly addresses DNS cache poisoning, where an attacker injects fraudulent DNS records into a resolver's cache. Without DNSSEC, a resolver has no way to distinguish a legitimate response from a forged one.
Concept tested: DNSSEC protection against DNS cache poisoning
Source: https://learn.microsoft.com/en-us/windows-server/networking/dns/dnssec-overview
Topics
Community Discussion
No community discussion yet for this question.