SY0-301 · Question #777
SY0-301 Question #777: Real Exam Question with Answer & Explanation
The correct answer is A: Change the firewall default settings so that it implements an implicit deny. DNS uses port 53 for both queries (typically UDP) and zone transfers (TCP). The firewall currently uses an implicit allow, meaning anything not explicitly permitted is allowed - so DNS traffic flows freely. Option A changes the firewall to implicit deny, meaning only traffic expl
Question
Options
- AChange the firewall default settings so that it implements an implicit deny
- BApply the current ACL to all interfaces of the firewall
- CRemove the current ACL
- DAdd the following ACL at the top of the current ACLDENY TCP ANY ANY 53
- EAdd the following ACL at the bottom of the current ACLDENY ICMP ANY ANY 53
- FAdd the following ACL at the bottom of the current ACLDENY IP ANY ANY 53
Explanation
DNS uses port 53 for both queries (typically UDP) and zone transfers (TCP). The firewall currently uses an implicit allow, meaning anything not explicitly permitted is allowed - so DNS traffic flows freely. Option A changes the firewall to implicit deny, meaning only traffic explicitly permitted (TCP 80 and 443) is allowed; all other traffic including DNS is blocked by default. Option F adds an explicit 'DENY IP ANY ANY 53' rule at the bottom, which blocks port 53 for all IP protocols (both TCP and UDP), covering DNS queries and zone transfers. Option D only denies TCP port 53 (missing UDP DNS queries). Option E incorrectly uses ICMP, which does not use port numbers. Together, A and F provide the most complete and correct solution.
Community Discussion
No community discussion yet for this question.