LFCS · Question #378
LFCS Question #378: Real Exam Question with Answer & Explanation
The correct answer is A: Run the BIND daemon as a nonroot user.. To enhance BIND server security, one should run the daemon with minimal privileges (as a non-root user), configure Access Control Lists (ACLs) to restrict access, and isolate the daemon within a chroot jail.
Question
Which of the following can be done to secure a BIND server? (Select THREE correct answers)
Options
- ARun the BIND daemon as a nonroot user.
- BConfigure ACLs.
- CRequire clients to authenticate with a password before querying the server.
- DRun the BIND daemon in a chroot jail
- EEncrypt DNS traffic using SSL/TLS.
Explanation
To enhance BIND server security, one should run the daemon with minimal privileges (as a non-root user), configure Access Control Lists (ACLs) to restrict access, and isolate the daemon within a chroot jail.
Common mistakes.
- C. Standard DNS queries do not involve client authentication with passwords before querying the server; while DNSSEC provides authenticity, simple queries are unauthenticated.
- E. While DNS over TLS (DoT) or DNS over HTTPS (DoH) can encrypt DNS traffic, this is a client-server protocol enhancement for privacy and integrity, not a direct security hardening for the BIND server itself to prevent attacks like cache poisoning.
Concept tested. BIND server security hardening
Reference. https://bind9.readthedocs.io/en/latest/advanced.html#security-and-best-practices
Topics
Community Discussion
No community discussion yet for this question.