nerdexam
CompTIA

SY0-301 · Question #777

A network administrator wants to block both DNS requests and zone transfers coming from outside IP addresses. The company uses a firewall which implements an implicit allow and is currently configured

The correct answer is A. Change the firewall default settings so that it implements an implicit deny F. Add the following ACL at the bottom of the current ACLDENY IP ANY ANY 53. DNS uses port 53 for both queries (typically UDP) and zone transfers (TCP). The firewall currently uses an implicit allow, meaning anything not explicitly permitted is allowed - so DNS traffic flows freely. Option A changes the firewall to implicit deny, meaning only traffic expl

Security architecture

Question

A network administrator wants to block both DNS requests and zone transfers coming from outside IP addresses. The company uses a firewall which implements an implicit allow and is currently configured with the following ACL applied to its external interfacE. PERMIT TCP ANY ANY 80 PERMIT TCP ANY ANY 443 Which of the following rules would accomplish this task? (Select TWO).

Options

  • AChange the firewall default settings so that it implements an implicit deny
  • BApply the current ACL to all interfaces of the firewall
  • CRemove the current ACL
  • DAdd the following ACL at the top of the current ACLDENY TCP ANY ANY 53
  • EAdd the following ACL at the bottom of the current ACLDENY ICMP ANY ANY 53
  • FAdd the following ACL at the bottom of the current ACLDENY IP ANY ANY 53

How the community answered

(25 responses)
  • A
    64% (16)
  • B
    8% (2)
  • C
    4% (1)
  • D
    4% (1)
  • E
    20% (5)

Explanation

DNS uses port 53 for both queries (typically UDP) and zone transfers (TCP). The firewall currently uses an implicit allow, meaning anything not explicitly permitted is allowed - so DNS traffic flows freely. Option A changes the firewall to implicit deny, meaning only traffic explicitly permitted (TCP 80 and 443) is allowed; all other traffic including DNS is blocked by default. Option F adds an explicit 'DENY IP ANY ANY 53' rule at the bottom, which blocks port 53 for all IP protocols (both TCP and UDP), covering DNS queries and zone transfers. Option D only denies TCP port 53 (missing UDP DNS queries). Option E incorrectly uses ICMP, which does not use port numbers. Together, A and F provide the most complete and correct solution.

Topics

#ACL#DNS security#zone transfer#firewall rules

Community Discussion

No community discussion yet for this question.

Full SY0-301 Practice