Exam AZ-300 topic 2 question 37 discussion

Wrong - if you remove Rule2, users can still only access HTTP as there is no other rule allowing UDP/53 (which is DNS). Only TCP/53 is then allowed but this is for DNS zone transfers not queries.

With port 3389 open, wouldnt you be able to connect to both? With port 53 being blocked the DNS services itself would be blocked, but connections to both would be allowed as RDP?

Anybody see Rule3? Deny port 80 outbound

Given answer is correct. Look only at inbound rules. In first dropdown, Rule 2 is blocking DNS traffic, but otherwise web traffic will be allowed when it hit Rule 1. In second dropdown, after Rule 2 is deleted, both DNS and web traffic will be allowed by Rule 1.

Accordingly with this link from Microsoft, a client is able to use also TCP to query a DNS server: https://support.microsoft.com/en-us/help/556000#:~:text=DNS%20and%20some%20other%20services%20work%20on%20both%20the%20protocols.&text=DNS%20uses%20TCP%20for%20Zone,information%20larger%20than%20512%20bytes. "DNS uses TCP for Zone transfer and UDP for name queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes. If a client doesn't get response from DNS it must re-transmit the data using TCP after 3-5 seconds of interval." So the given answer is correct.

Azure NSG is stateful, hence Apparently port 80 outbound denial, is "ignored" as port 80 is allowed inbound. https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

https://www.infoblox.com/dns-security-resource-center/dns-security-faq/is-dns-tcp-or-udp-port-53/ so DNS can use both UDP and TCP 53. that means only TCP 53 is enough answers are ok

in Box 2, if I delete Rule2, DNS server uses port 53 and protocol UDP, how can users connect to the DNS server if there is denyallinbound rule set?

This question appeared me in AZ-104 exam

I think that the question is not well asked. If we talk about connect to the server, whatever could be (DNS, Web . . .), you will do it amoung other options, through RDP port (3389), but if you are talking about available services, then you can talk about TCP/UDP 53 and HTTP 80 port. So it seems that this question is talking about services. As per Priorities, Rule2 has higher priority over DNS, but not for HTTP, so first answer is correct. If we remove Rule2, HTTP remain available, due to Rule1 include HTTP and also DNS, so second answer is correct. Which confuse me is Outbound Rule3. Even that anyone ask through HTTP port (I mean inbound port rules), nobody will answer through this port due to Rule3 on Outbound Port Rules. So keeping this in mind, correct answers should be: "cannot connect to the web server and DNS server on VM1" "can connect to only the DNS server on VM1" Anyone agree?

Given answer is correct

Rule 2 with lower priority which takes precedence was stopping 50-60 which includes 53, so DNS was not available. But at the same time Rule 1which allowed Port 80 helped communicate to Webserver. So first answer(can connect to only web server on VM1) is right Now when we delete Rule 2, Rule 1 which is still there allows both Port 53(DNS can communicare on both UDP/TCP, so here the Rule 1 is allowing TCP) and Port 80(HTTP/WebServer on TCP). So first answer(can connect to only web server and DNS Server on VM1) is right

The proposed answers are kind of misleading, as there is also MSRDP 3389/TCP reachable from the internet

rule 3 don't not change anything because it's for traffic initiating from inside.

Correct me if I'm wrong. The first box should be neither DNS nor HTTP. The first inbound rule stops DNS, that leaves us to check for HTTP. Inbound rule allows HTTP/S request in, now I now these rules are stateful, but there's an explicit deny in the outbound rule stopping port 80 going out - so the HTTP request will be denied, I think? The answer to the second box is fine. What do you think?

I Think "cannot connect to the web server and the DNS server on VM1" is the correct anwer. Because the blocking rule 3. Web = 80 by default but also 443. You can connect to port 80 but rule3 will block the port 80 traffic back to the internet user. When the webserver use 443 the anwer is correct. I think it's a crappy question with to few information.

The answer is DNS is mostly UDP Port 53, but as time progresses, DNS will rely on TCP Port 53 more heavily. DNS has always been designed to use both UDP and TCP port 53 from the start1 , with UDP being the default, and fall back to using TCP when it is unable to communicate on UDP, typically when the packet size is too large to push through in a single UDP packet. So its depends how DNS configured .. DNS should work