Exam CISA topic 1 question 96 discussion

I think answer should be D because if DNS is hijacked then it then DNS queries are incorrectly resolved in order to unexpectedly redirect users to malicious sites

DNS hardening

D. Perform domain name system (DNS) server security hardening. The best control to mitigate attacks that redirect Internet traffic to an unauthorized website is to perform domain name system (DNS) server security hardening (Option D). DNS server security hardening involves implementing measures to secure DNS infrastructure, preventing DNS attacks such as DNS spoofing, cache poisoning, and DNS redirection. By strengthening the security of DNS servers, organizations can help ensure the accuracy and integrity of DNS responses, reducing the risk of users being redirected to unauthorized websites.

D is the correct answer here.

D is the best answer

DNS hardening is the one

I vote for D. This is a kind of DNS Hijacking attack. If the DNS Hijacking attack is performed successful, firewall or IDS or WAF is useless. Hence, the best practice to prevent this kind of attack is protecting your DNS Records/Server.

a is correct A web application firewall is a great first line of defense for directing malicious actors away from your website. Using a WAF guards your site against the most common types of attacks, and some solutions even provide security reports that highlight important data (such as site traffic)

I also think D can be correct.. DNS server hardening can prevent pharming attacks

it's talking about the firewall not IDS. Are you assuming that firewall ha the IDS capabilities?

A is correct because If a network-based IDS is placed between the Internet and the firewall, it will detect all the attack attempts, whether or not they enter the firewall. If the IDS is placed between a firewall and the corporate network, it will detect those attacks that enter the firewall (it will detect intruders). The IDS is not a substitute for a firewall, but it complements the function of a firewall.