nerdexam
GIAC

GCIH · Question #682

Following the recent acquisition of a new business, your manager asks you to investigate their DNS service and report back on its status. He is concerned as they only have one DNS server in the organi

The correct answer is B. Ensure zone transfer requests from the acquired business' DNS server are disabled. Propose a. A single Internet-facing DNS server with zone transfers enabled is a critical risk, as attackers can harvest the entire DNS zone; the immediate first step is to disable unauthorized zone transfers and plan a proper DNS architecture.

Reconnaissance, Scanning, and Enumeration

Question

Following the recent acquisition of a new business, your manager asks you to investigate their DNS service and report back on its status. He is concerned as they only have one DNS server in the organization and it is visible on the Internet. What actions and recommendations should be taken as a first step?

Options

  • AReview the logs of the acquired business' firewall for port 53 traffic. Add a firewall rule to block
  • BEnsure zone transfer requests from the acquired business' DNS server are disabled. Propose a
  • CUse the nslookup command to direct the aquired business' DNS server to transfer its records to
  • DRemove the acquired business' DNS server from the network. Import its database entries into

How the community answered

(37 responses)
  • A
    11% (4)
  • B
    81% (30)
  • C
    3% (1)
  • D
    5% (2)

Why each option

A single Internet-facing DNS server with zone transfers enabled is a critical risk, as attackers can harvest the entire DNS zone; the immediate first step is to disable unauthorized zone transfers and plan a proper DNS architecture.

AReview the logs of the acquired business' firewall for port 53 traffic. Add a firewall rule to block

Reviewing firewall logs and blocking port 53 inbound would break DNS resolution for external clients; DNS must remain accessible on port 53 for the service to function.

BEnsure zone transfer requests from the acquired business' DNS server are disabled. Propose aCorrect

Zone transfer (AXFR) allows a full copy of a DNS zone to be downloaded, and leaving it unrestricted on a public-facing server lets any attacker enumerate all hostnames, IP addresses, and services in the organization. Disabling zone transfers to untrusted hosts closes this reconnaissance vector immediately, and proposing a split-horizon DNS design with a hidden primary and public secondary addresses the single-point-of-failure and exposure concerns raised by having only one Internet-visible DNS server.

CUse the nslookup command to direct the aquired business' DNS server to transfer its records to

Using nslookup to manually transfer zone records is itself the attack vector being protected against; initiating a zone transfer does not secure the server.

DRemove the acquired business' DNS server from the network. Import its database entries into

Removing the only DNS server without a replacement plan would cause an immediate service outage and does not address the underlying security architecture problem.

Concept tested: DNS zone transfer security and split-horizon DNS design

Source: https://learn.microsoft.com/en-us/windows-server/networking/dns/manage/secure-dns-deployment

Topics

#DNS zone transfer#DNS security#network enumeration#security hardening

Community Discussion

No community discussion yet for this question.

Full GCIH Practice