During an external penetration test, you issue the command "dig axfr example.com @ns1.example.com" and the full zone file is returned, exposing internal hostnames and network ranges. The client wants a fast footprinting countermeasure that will block this information disclosure while leaving normal public name resolution unaffected. Which single change should you recommend?
Disable recursive resolution on all internal workstation DNS resolvers
Enable DNSSEC signing for the public zone
Publish an SPF TXT record listing authorized outbound mail servers
Restrict AXFR so that zone transfers are permitted only to the organization's designated secondary DNS server IP addresses
Zone transfers (AXFR) are intended only for synchronizing data between authoritative DNS servers. Allowing them to any host lets an attacker download the entire zone and map internal systems. Limiting AXFR requests to the IP addresses of the organization's approved secondary name servers (or enforcing TSIG authentication) stops unauthorized transfers yet leaves standard queries to the authoritative server untouched. Disabling recursion protects against cache-poisoning but does not stop AXFR. DNSSEC signs data but still allows transfers. Adding an SPF TXT record only affects mail-sending policy and does nothing to restrict zone transfers.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AXFR in DNS?
Open an interactive chat with Bash
How does TSIG authentication enhance DNS security?
Open an interactive chat with Bash
What is the role of secondary DNS servers in a network?
Open an interactive chat with Bash
What is AXFR in DNS?
Open an interactive chat with Bash
What is the function of TSIG in securing DNS transactions?
Open an interactive chat with Bash
How does restricting AXFR to designated secondary DNS servers improve security?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Reconnaissance Techniques
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .