CISSP PRACTICE QUESTIONS – 20210613

Posted on by
Effective CISSP Questions

Your company has implemented an on-premises master DNS server in the DMZ protected by a firewall. You are deploying a slave DNS to the cloud for availability concerns. Which of the following is the most feasible firewall policy to allow zone transfer? (Wentz QOTD)
A. Allow UCP port = 53 and RR = AXFR
B. Allow TCP port = 53 and RR = AXFR
C. Allow UDP port = 53 and Source IP = the slave DNS
D. Allow TCP port = 53 and Source IP = the slave DNS

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Allow TCP port = 53 and Source IP = the slave DNS.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.

There are three roles in the typical DNS operation:

  • DNS Resolver
  • Primary/Master DNS Server
  • Secondary/Slave DNS Server(s)

Zone Transfer

TCP 53 is used between the primary/master DNS server and one or more secondary/slave DNS servers for zone transfer.

Zone Transfer
Zone Transfer (Source: CloudFlare)

Name Resolution

UDP 53 is used between the DNS resolver and DNS server for domain name resolution.

DNS Client and DNS Server
DNS Client and DNS Server (Source: HPE)

Resource Record (RR)

The Domain Name System specifies a database of information elements for network resources. The types of information elements are categorized and organized with a list of DNS record types, the resource records (RRs). Each record has a type (name and number), an expiration time (time to live), a class, and type-specific data. Resource records of the same type are described as a resource record set (RRset), having no special ordering.

Source: Wikipedia

The following snapshot demonstrates sample resource records: A and AAAA.

Reference

貴公司已在受防火牆保護的DMZ中建置了自家(on-premises)的主要DNS服務器(master DNA)。出於可用性考量,您正在將從屬DNS(slave DNS)部署到雲端。以下哪項是允許區域傳輸(zone transfer)的最可行的防火牆政策? (Wentz QOTD)
A. Allow UCP port = 53 and RR = AXFR
B. Allow TCP port = 53 and RR = AXFR
C. Allow UDP port = 53 and Source IP = the slave DNS
D. Allow TCP port = 53 and Source IP = the slave DNS


Leave a Reply