During a security audit you confirm that external users can run an unrestricted "dig axfr" against the company's Internet-facing DNS server and obtain a full list of host records. To implement an effective footprinting countermeasure while keeping normal name resolution intact, which change should you make on the authoritative server?
Disable recursive queries on the authoritative name server.
Replace A records with CNAME aliases and move DNS service to TCP port 8053.
Enable DNSSEC signing for the public zone to authenticate responses.
Permit zone transfers solely to trusted secondary DNS servers using an IP ACL or TSIG authentication.
An attacker who can perform a full AXFR (zone transfer) against an organization's authoritative DNS server gains an enumerated map of hosts, service names, and sometimes internal addressing. The standard countermeasure is to disable open zone transfers and explicitly allow them only for designated secondary name servers, ideally enforcing the restriction with both an IP-based ACL and/or a TSIG-signed key. This preserves legitimate replication while preventing arbitrary Internet clients from harvesting the zone.
Disabling recursion limits resolver lookups but does not stop AXFR requests. DNSSEC adds integrity and origin authentication but still serves the entire zone. Moving records to CNAMEs or another port does nothing to prevent a standard zone transfer against the authoritative server.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a zone transfer in DNS?
Open an interactive chat with Bash
What is TSIG authentication in DNS?
Open an interactive chat with Bash
How does an IP ACL secure DNS zone transfers?
Open an interactive chat with Bash
What is a DNS zone transfer?
Open an interactive chat with Bash
What are TSIG keys in DNS configurations?
Open an interactive chat with Bash
What is an IP ACL, and how does it secure DNS zone transfers?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Reconnaissance Techniques
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .