CompTIA Security+ (SY0-401) — Question 22

A network administrator wants to block both DNS requests and zone transfers coming from outside IP addresses. The company uses a firewall which implements an implicit allow and is currently configured with the following ACL applied to its external interface.

PERMIT TCP ANY ANY 80 -

PERMIT TCP ANY ANY 443 -
Which of the following rules would accomplish this task? (Choose two.)

Answer options

• A. Change the firewall default settings so that it implements an implicit deny
• B. Apply the current ACL to all interfaces of the firewall
• C. Remove the current ACL
• D. Add the following ACL at the top of the current ACLDENY TCP ANY ANY 53
• E. Add the following ACL at the bottom of the current ACLDENY ICMP ANY ANY 53
• F. Add the following ACL at the bottom of the current ACLDENY IP ANY ANY 53

Correct answer: A, F

Explanation

Changing the firewall's default settings to implement an implicit deny (Option A) ensures that all traffic not explicitly permitted is blocked, which effectively prevents unauthorized DNS requests and zone transfers. Adding the ACL to deny all IP traffic on port 53 (Option F) at the end of the current ACL also serves to block DNS requests. The other options do not adequately address the requirement to block DNS traffic from external sources.