Which of the following represents recommended DNS security practices?

DNS security works best when you combine layered defenses across the infrastructure. The strongest option reflects a practical, defense-in-depth stance: you harden the DNS servers themselves to reduce exploitable weaknesses, use split-horizon (or split-view) operation so internal and external views of DNS data don’t leak across networks, restrict zone transfers so only trusted servers can copy zone data, and place DNS servers on different subnets to avoid a single point of failure or a single compromised network segment taking down multiple resolvers. Together, these practices reduce the attack surface, prevent leaking sensitive internal mappings, and improve resilience and availability. Hardening DNS servers sets a solid baseline by reducing unnecessary services, applying patches, tightening access controls, and improving logging and monitoring. Split-horizon operation minimizes information disclosure by returning different responses depending on where the query originates, so attackers exposed to your external view won’t see internal hostnames and topologies. Restricting zone transfers prevents attackers from obtaining the entire zone file, which could reveal a wealth of usable targets. Subnet diversity ensures that issues on one network segment don’t compromise all DNS servers, supporting continuity even if one path is compromised or fails. Disabling caching and ignoring TTLs would degrade performance and reliability, increasing unnecessary load and latency rather than boosting security. Using only TCP for DNS queries removes the efficiency and practicality of UDP-based DNS normal operation; TCP is used for specific cases like large responses or zone transfers, not as the sole transport for queries.