nerdexam
CompTIA

LX0-104 · Question #378

Which of the following can be done to secure a BIND server? (Select THREE correct answers)

The correct answer is A. Run the BIND daemon as a nonroot user. B. Configure ACLs. D. Run the BIND daemon in a chroot jail. Securing a BIND server involves reducing its attack surface and limiting its capabilities, such as running it as an unprivileged user within a chroot jail and restricting access with ACLs.

Security

Question

Which of the following can be done to secure a BIND server? (Select THREE correct answers)

Options

  • ARun the BIND daemon as a nonroot user.
  • BConfigure ACLs.
  • CRequire clients to authenticate with a password before querying the server.
  • DRun the BIND daemon in a chroot jail
  • EEncrypt DNS traffic using SSL/TLS.

How the community answered

(59 responses)
  • A
    95% (56)
  • C
    2% (1)
  • E
    3% (2)

Why each option

Securing a BIND server involves reducing its attack surface and limiting its capabilities, such as running it as an unprivileged user within a chroot jail and restricting access with ACLs.

ARun the BIND daemon as a nonroot user.Correct

Running the BIND daemon (named) as a non-root, unprivileged user limits the damage an attacker could inflict if they compromise the DNS server process, preventing them from gaining full system control.

BConfigure ACLs.Correct

Configuring Access Control Lists (ACLs) within BIND allows administrators to specify which hosts or networks are permitted to query the server, perform zone transfers, or update records, thus restricting unauthorized access.

CRequire clients to authenticate with a password before querying the server.

Standard DNS clients do not authenticate with passwords for querying a server; while DNSSEC provides data origin authentication and integrity, general client queries are not password-authenticated.

DRun the BIND daemon in a chroot jailCorrect

Running the BIND daemon in a chroot jail confines the process to a specific directory tree, preventing it from accessing or modifying files outside that designated environment even if it is compromised, significantly limiting the scope of a potential breach.

EEncrypt DNS traffic using SSL/TLS.

While DNS over TLS (DoT) or DNS over HTTPS (DoH) can encrypt DNS traffic, this secures the transport rather than the BIND server's internal hardening against compromise or unauthorized access, and is not a typical configuration option for BIND security itself.

Concept tested: BIND server security best practices (privilege, access, containment)

Source: https://www.isc.org/docs/BIND_AdminRef_2_2.pdf

Topics

#BIND#DNS security#chroot jail#ACLs

Community Discussion

No community discussion yet for this question.

Full LX0-104 Practice