GCIH · Question #682
Following the recent acquisition of a new business, your manager asks you to investigate their DNS service and report back on its status. He is concerned as they only have one DNS server in the organi
The correct answer is B. Ensure zone transfer requests from the acquired business' DNS server are disabled. Propose a. A single Internet-facing DNS server with zone transfers enabled is a critical risk, as attackers can harvest the entire DNS zone; the immediate first step is to disable unauthorized zone transfers and plan a proper DNS architecture.
Question
Following the recent acquisition of a new business, your manager asks you to investigate their DNS service and report back on its status. He is concerned as they only have one DNS server in the organization and it is visible on the Internet. What actions and recommendations should be taken as a first step?
Options
- AReview the logs of the acquired business' firewall for port 53 traffic. Add a firewall rule to block
- BEnsure zone transfer requests from the acquired business' DNS server are disabled. Propose a
- CUse the nslookup command to direct the aquired business' DNS server to transfer its records to
- DRemove the acquired business' DNS server from the network. Import its database entries into
How the community answered
(37 responses)- A11% (4)
- B81% (30)
- C3% (1)
- D5% (2)
Why each option
A single Internet-facing DNS server with zone transfers enabled is a critical risk, as attackers can harvest the entire DNS zone; the immediate first step is to disable unauthorized zone transfers and plan a proper DNS architecture.
Reviewing firewall logs and blocking port 53 inbound would break DNS resolution for external clients; DNS must remain accessible on port 53 for the service to function.
Zone transfer (AXFR) allows a full copy of a DNS zone to be downloaded, and leaving it unrestricted on a public-facing server lets any attacker enumerate all hostnames, IP addresses, and services in the organization. Disabling zone transfers to untrusted hosts closes this reconnaissance vector immediately, and proposing a split-horizon DNS design with a hidden primary and public secondary addresses the single-point-of-failure and exposure concerns raised by having only one Internet-visible DNS server.
Using nslookup to manually transfer zone records is itself the attack vector being protected against; initiating a zone transfer does not secure the server.
Removing the only DNS server without a replacement plan would cause an immediate service outage and does not address the underlying security architecture problem.
Concept tested: DNS zone transfer security and split-horizon DNS design
Source: https://learn.microsoft.com/en-us/windows-server/networking/dns/manage/secure-dns-deployment
Topics
Community Discussion
No community discussion yet for this question.