Which of the following is a mitigation for DNS spoofing when a DNS server is vulnerable?

Study for the EC-Council Certified Ethical Hacker (CEH) v13 Exam. Utilize flashcards and multiple-choice questions with helpful hints and detailed explanations. Excel in your exam preparation!

Multiple Choice

Which of the following is a mitigation for DNS spoofing when a DNS server is vulnerable?

Explanation:
Preventing users from being redirected by forged DNS answers relies on validating every DNS response and ensuring its authenticity. Installing DNS anti-spoofing measures does exactly that by enforcing checks that responses are legitimate for the queries issued. This often involves cryptographic validation of DNS data (DNSSEC) so that records cannot be trusted unless they have a valid signature, and it also includes mechanisms that verify that responses come from the expected source and match the pending query. When a DNS server is vulnerable to spoofing, turning on these protections means the resolver rejects forged replies, making it much harder for an attacker to poison the cache or mislead clients. Other options don’t provide the same preventive protection. Increasing TTL values prolongs cached data, which can let spoofed results persist longer. A DNS proxy might help with certain traffic patterns or filtering, but it doesn’t inherently stop spoofed responses from reaching clients. Regularly checking DNS logs is useful for detection and incident response, but it doesn’t prevent spoofing from occurring in real time. The strongest, most direct mitigation is enabling DNS anti-spoofing protections.

Preventing users from being redirected by forged DNS answers relies on validating every DNS response and ensuring its authenticity. Installing DNS anti-spoofing measures does exactly that by enforcing checks that responses are legitimate for the queries issued. This often involves cryptographic validation of DNS data (DNSSEC) so that records cannot be trusted unless they have a valid signature, and it also includes mechanisms that verify that responses come from the expected source and match the pending query. When a DNS server is vulnerable to spoofing, turning on these protections means the resolver rejects forged replies, making it much harder for an attacker to poison the cache or mislead clients.

Other options don’t provide the same preventive protection. Increasing TTL values prolongs cached data, which can let spoofed results persist longer. A DNS proxy might help with certain traffic patterns or filtering, but it doesn’t inherently stop spoofed responses from reaching clients. Regularly checking DNS logs is useful for detection and incident response, but it doesn’t prevent spoofing from occurring in real time. The strongest, most direct mitigation is enabling DNS anti-spoofing protections.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy