Exam 70-741 topic 2 question 22 discussion

Actual exam question from Microsoft's 70-741

Question #: 22
Topic #: 2

You have a DNS server named Server1 that runs Windows Server 2016. Server1 has two Active Directory-integrated zones named contoso.com and adatum.com.
All client computers run Windows 10.
Server1 recently experienced millions of erroneous DNS queries causing a denial of service.
You need to reduce the likelihood that a similar attack will cause a denial of service. The solution must ensure that Server1 continues to resolve names for clients.
What should you do?

A. Implement DNS-based Authentication of Named Entities (DANE)
B. Enable Response Rate Limiting (RRL) on Server1
C. Configure DNS policies on Server1
D. Sign both adatum.com and contoso.com zones

Show Suggested Answer

Suggested Answer: B 🗳️
References:
https://blogs.technet.microsoft.com/teamdhcp/2015/08/28/response-rate-limiting-in-windows-dns-server/

by weng at Oct. 6, 2019, 10:04 p.m.

Comments

Submit Cancel

panda

Highly Voted 4 years, 7 months ago

The given answer (question 22 page 37) is B (RRL). The given answer (question 106 page 22) is A (sign). DANE prevents clients from requesting to fake DNS servers.(*1) RRL prevents DNS servers from DDoS attacks.(*1) Signing prevents clients to receie responses from fake DNS server1.(*2) (*1) https://docs.microsoft.com/en-us/windows-server/networking/dns/what-s-new-in-dns-server (*2) https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn593670(v%3Dws.11)

upvoted 8 times

...

panda

Most Recent 4 years, 5 months ago

A.DANE can be excluded. Please refer to my comment on page22/question 106. C,D can be excluded. If you experienced DNS spoofing attacks, you could use this method to pretend from the attacks.

upvoted 1 times

...

ITGEEK

5 years, 5 months ago

RRL is the right answer.

upvoted 2 times

...

weng

5 years, 8 months ago

Answer is CORRECT

upvoted 3 times

...