A network security analyst notices that employees are being silently redirected to look-alike phishing sites even when they enter the correct URLs. Packet captures show forged DNS responses coming from what appear to be trusted recursive resolvers. Which of the following countermeasures would be the MOST effective way to prevent users from accepting these forged DNS answers?
Require HTTPS for every internal and external web application
Deploy DNSSEC on all authoritative and recursive DNS servers and require validation
Restrict configuration changes on internal name-resolution servers only
Route all outbound web traffic through a mandatory forward proxy
Deploying DNS Security Extensions (DNSSEC) on the organization's DNS infrastructure-signing authoritative zones and requiring validation on recursive resolvers-provides cryptographic origin authentication and integrity for DNS data. This prevents users from accepting forged or modified answers that are characteristic of DNS spoofing or cache-poisoning attacks. Tightening resolver settings or forcing web traffic through proxies offers no cryptographic guarantee of record authenticity, and mandating HTTPS secures the HTTP session only after the correct host is reached; it does not stop the initial redirection caused by a poisoned DNS response.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DNSSEC and how does it work?
Open an interactive chat with Bash
What are the risks associated with compromised system resolution protocols?
Open an interactive chat with Bash
What are the advantages of using HTTPS, and how does it relate to DNSSEC?