ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your company is lifting-and-shifting a three-tier application into a public IaaS provider. All virtual machines will stay in one virtual network, and the provider's built-in recursive DNS service will handle name resolution. After recent cache-poisoning attempts, the security team wants a control that lets each DNS resolver verify data has not been spoofed or altered while in transit inside the provider. Which network feature must be available and enabled?
Establish a dedicated IPsec VPN tunnel from every VM to the DNS servers
Use virtual network peering with route filtering between application tiers
Enable DNS Security Extensions (DNSSEC) validation and require domain zones to be signed
Configure DHCP option 82 to include relay-agent information for all subnets
Domain Name System Security Extensions (DNSSEC) add digital signatures to authoritative DNS records. A resolver that supports DNSSEC can validate these signatures with the zone's public keys; forged or tampered responses fail validation, stopping cache-poisoning and spoofing attacks.
DHCP option 82 only adds relay-agent information and offers no integrity protection for DNS data.
Virtual network peering with route filtering restricts routing advertisements but does not secure DNS responses.
Host-based IPsec encrypts traffic but cannot prove the resolver itself is trustworthy, so it does not prevent an internal resolver from injecting forged answers. Enabling DNSSEC on the cloud DNS service is therefore the correct choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DNSSEC and how does it work?
Open an interactive chat with Bash
What are cache-poisoning attacks in the context of DNS?
Open an interactive chat with Bash
Why is DHCP option 82 not suitable for preventing DNS attacks?
Open an interactive chat with Bash
How does DNSSEC prevent cache-poisoning attacks?
Open an interactive chat with Bash
What is the role of digital signatures in DNSSEC?
Open an interactive chat with Bash
What is the difference between DNSSEC and standard DNS?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Security Operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .