Networking with Windows Server 2016 — Question 50

You have two DNS servers named Server1 and Server2.
All client computers run Windows 10 and are configured to use Server1 for DNS name resolution.
Server2 hosts a primary zone named contoso.com.
Your network recently experienced several DNS spoofing attacks on the contoso.com zone.
You need to prevent further attacks from succeeding.
What should you do on Server2?

Answer options

• A. Sign the contoso.com zone.
• B. Configure Response Rate Limiting (RRL).
• C. Configure DNS-based Authentication of Named Entities (DANE) for the contoso.com zone.
• D. Configure the contoso.com zone to be Active Directory-integrated.

Correct answer: A

Explanation

Signing the contoso.com zone (option A) is the correct solution as it adds a layer of security through DNSSEC, which helps to prevent spoofing attacks by ensuring that the DNS responses are authentic. Options B and C address different aspects of DNS security but do not directly prevent spoofing in the same effective manner as signing the zone. Option D involves integration with Active Directory, which does not specifically address the issue of spoofing attacks.