1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 73
Выбрать главу

209. Which of the following are the primary software components of a domain name system (DNS)?

1. Operating system

2. File system

3. Name server

4. Resolver

a. 1 and 2

b. 1 and 3

c. 2 and 3

d. 3 and 4

209. d. The domain name system (DNS) software primary components include the name server and the resolver. The operating system, file system, and communication stack are part of a DNS hosting environment.

210. Which of the following is the primary type of domain name system (DNS) data?

a. Configuration file

b. Zone file

c. File system

d. Zone transfer

210. b. The primary type of domain name system (DNS) data is zone file, which contains information about various resources in that zone. The information about each resource is represented in a record called a Resource Record (RR). Logically, a zone file is made up of several RR sets.

Configuration file is incorrect because it is a secondary type of DNS data. File system is incorrect because it is a part of the DNS hosting environment. Zone transfer is incorrect because it is a part of DNS transactions.

211. Which of the following configurations is not a good security practice for a single domain name system (DNS) name server to perform?

a. Both authoritative name server and recursive name server

b. Both caching name server and local name server

c. Both primary name server and secondary name server

d. Both master name server and slave name server

211. a. A specific name server can be configured to be both an authoritative and a recursive name server. In this configuration, the same name server provides authoritative information for queries pertaining to authoritative zones while it performs the resolving functions for queries pertaining to other zones. To perform the resolving function, it has to support recursive queries. Any server that supports recursive queries is more vulnerable to attack than a server that does not support such queries. As a result, authoritative information might be compromised. Therefore, it is not a good security practice to configure a single name server to perform both authoritative and recursive functions.

Caching name and local name server are incorrect because a caching name server generally is the local name server in the enterprise that performs the name resolution function on behalf of the various enterprise clients. A caching name server, also called a resolving/recursive name server, provides responses either through a series of queries to authoritative name servers in the hierarchy of domains found in the name resolution query or from a cache of responses built by using previous queries.

Primary, secondary, master, and slave name servers are incorrect because a master (or primary) name server contains zone files created and edited manually by the zone administrator. A slave (or secondary) name server also contains authoritative information for a zone, but its zone file is a replication of the one in the associated master name server. The replication is enabled through a transaction called “zone transfer” that transfers all Resource Records (RRs) from the zone file of a master name server to the slave name server.

212. Which of the following is the most common transaction in a domain name system (DNS)?

a. DNS query/response

b. Zone transfer

c. Dynamic updates

d. DNS NOTIFY message

212. a. Domain name system (DNS) query/response is the most common transaction in DNS. The most common query is a search for a Resource Record (RR), based on its owner name or RR type. The response may consist of a single RR, an RRset, or an appropriate error message.

A zone transfer is incorrect because it refers to the way a secondary (slave) server refreshes the entire contents of its zone file from the primary (master) name servers. The dynamic update facility is incorrect because it provides operations for addition and deletion of RRs in the zone file. The DNS NOTIFY message is incorrect because it signals a secondary DNS server to initiate a zone transfer.

213. What does a domain name system (DNS) query originate from?

a. Authoritative name server

b. Resolver

c. Caching name server

d. Recursive name server

213. b. A resolver, a component of DNS, accesses the services provided by a DNS name server on behalf of user programs. A DNS query originates from a resolver; the destination is an authoritative or caching name server.

An authoritative name server for a zone is incorrect because it provides responses to name resolution queries for resources for that zone, using the Resource Records (RRs) in its own zone file. Caching and recursive name servers are incorrect because two primary categories of resolver include (i) caching, recursive, resolving name server and (ii) stub resolver, distinguished by functionality.

214. A user datagram protocol (UDP) packet is associated with which of the following when sending domain name system (DNS) queries?

1. Truncation

2. Little or no truncation

3. Higher overhead

4. Lower overhead

a. 1 only

b. 4 only

c. 1 and 4

d. 2 and 3

214. c. Domain name system (DNS) queries are sent in a single UDP packet. The response usually is a single UDP packet as well, but data size may result in truncation. UDP consumes lower overhead of resources. On the other hand, TCP packet results in little or no truncation but consumes higher overhead of resources.

215. Which of the following is not an example of domain name system (DNS) host platform threats?

a. Buffer overflow attack

b. Zone drift error

c. Packet flooding attack

d. Address resolution protocol spoofing attack

215. b. Zone drift error is a threat due to domain name system (DNS) data contents, not from DNS host platform threats. Zone drift error results in incorrect zone data at the secondary name servers when there is a mismatch of data between the primary and secondary name servers. A buffer overflow attack, a packet flooding attack, and an Address Resolution Protocol (ARP) spoofing attack are examples of DNS host platform threats.

216. All the following are best practice protection approaches for domain name system (DNS) software except:

a. Running name server software with restricted privileges

b. Isolating name server software

c. Developing the zone file integrity checker software

d. Removing name server software from nondesignated hosts

216. c. Developing the zone file integrity checker software is a DNS data content control protection approach, not a DNS software protection approach. The other three choices are incorrect because they are examples of DNS software protection approaches.

~ 73 ~