Exam 70-741 topic 1 question 106 discussion

this one is correct. in addition to cache locking, you can use DNSSEC to prevent spoofing: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn593670(v%3Dws.11)

DNSSEC is the correct answer

C. DANE can be excluded. If you experience that clients request to incorrect DNS server, to prevent from tihs, you must use DANE.

I think A (sign) is correct. To begin with DNS spoofing attacks changes DNS record. In this time DNS spoofing attacks spoof nobody. When client requests changed DNS record, DNS send it to client. In this time client is spoofed by the record. Namely, DNS spoofing attacks change DNS record directry and spoof clients indirectry. Therefore to prevent from tihs attack you must shild DNS record, not client.

The given answer (question 22 page 37) is B (RRL). The given answer (question 106 page 22) is A (sign). DANE prevents clients from requesting to fake DNS servers.(*1) RRL prevents DNS servers from DDoS attacks.(*1) Signing prevents clients to receie responses from fake DNS server1.(*2) (*1) https://docs.microsoft.com/en-us/windows-server/networking/dns/what-s-new-in-dns-server (*2) https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn593670(v%3Dws.11)

Spoofing: someone or something pretends to be something else to gain access to a system. DNS spoofing: is the practice of assuming the DNS name of another system either by corrupting a name service cache or by compromising a DNS server for a valid domain. Answer is correct. Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn593670(v%3Dws.11)

A. Sign the contoso.com zone.

Guys - Bonna, TMW , ITGEEK, Antony are correct... Correct answer is : A Its DNSSEC that can protect against spoofing attack. Read the below reference. " Improved security: Signing with DNSSEC can protect you from DNS spoofing attacks. " Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn593637(v%3dws.11)

Actually looking more into this, the correct answer is A sign the zone or in other words DNSSEC

The answer is DANE which is built on DNSSEC

RRL is to prevent DDOS attacks. The answer I would be looking for is cache locking, but it is not one of the answers....

I beleive the answer for this is Response Rate Limitting RRL, or Response Rate Limiting, tries to extenuate the DNS amplification attacks. In a DNS amplification attack, the attackers forge the IP address of the victim network and send a lot of queries to the DNS servers. The traditional DNS server responds back to all the queries it receives and as a result the victim network gets a huge amount of unwanted DNS responses . https://blogs.technet.microsoft.com/teamdhcp/2015/08/28/response-rate-limiting-in-windows-dns-server/