DNS 4 Flashcards
What command can be used to view all the scopes within a zone (example.com)
Get-DnsServerZoneScope -ZoneName “example.com”
What two commands can be used to query a DNS server for name resolution even if the information is locally cached on the client?
nslookup and Resolve-DnsName.
What command can be used to add DNS server policies?
Add-DnsServerQueryResolutinPolicy
The processing order of the policy determines when it will be checked, compared to the other existing policies. True or False?
True.
Which policy action would cause a client to time-out waiting for a DNS response?
Ignore.
What tab in the DNS Server properties contains the option for configuring automatic testing of the DNS Server?
Monitoring.
What tab in the DNS Server properties contains the option for configuring recursion?
Advanced.
What tab in the DNS Server properties contains the option for configuring which events are to be logged?
Event Logging.
What is the most probable reason why we would NOT want to leave debugging on all the time?
Overhead on the server.
When analyzing the DNS server, what two resources are priotritized first for any bottlenecks/issues?
Memory and CPU usage.
What sequence is used to highlight a counter in Performance Monitor?
Ctrl+h.
Server Manager can be used to both set and see alarm thresholds for DNS server’s memory and CPU. True or False?
True.
What is DNS Scavenging?
When properly configured, DNS Scavenging automically removes records that haven’t been updated in a while.
Which tab of the zone properties is used to set the aging/scavenging properties for a zone?
General.
What is the default No-refresh interval?
7 days.
Only at the end of the “Refresh interval”, does a record become eligible for scavenging. True or False?
True.
How do you enable scavenging to take place automatically?
- R-click on the zone/server > Properties > Advanced tab
2. Check the box that says, “Enable automatic scavenging of stale records”.
Computers, by default, are looking to see if a certificate is signed by a “specific” Certification Authority from their list of trusted CAs. True or False?
False. Computers are looking to see if the certificate is signed by ANY CAs on their trusted list.
What is DANE?
The DNS-based Authentication of Named Entities provides an extra step of association by using a TLSA record to provide information to DNS clients that state what CA they should expect a certificate from for your domain name. This prevents man-in-the-middle attacks where someone might corrupt the DNS cache to point to their own website, and provide a certificate they issued from a different CA.
What are the three fields found in a TLSA record?
The certificate usage field, selector field, and matching type field.
What are the different values that can be found in the certificate usage field of a TLSA record?
0 = PKIX-TA (Certificate Authority Constraint; Only accept defined certificate authorities)
1 = PKIX-EE (Service Certificate Contraint; Only accept defined certificates)
2 = DANE-TA (Trust Anchor Assertion; Only use validated trust anchors)
3 = DANE-EE (Domain Issued Certificate;Disables trust hierarchy inspection so that the client only has to trust the referenced certificate in the TLSA record)
What are the different values that can be found in the selector field of a TLSA record?
0 = Certificate 1 = SPKI (Public Key)
What are the different values that can be found in the matching type field of a TLSA record?
0 = Full (exact match) 1 = SHA2 256 2 = SHA2 512
In what field is the hash of a TLSA record located in?
The Certificate Association Data field.
A TLSA record can be created in both DNS Manager and in PowerShell. True or False?
False. TLSA records can be created in PowerShell but not DNS Manager.
When a TLSA record has been created, an associated DNSSEC record will also be created. True or False?
True.
What is the record type associated with a TLSA record?
Type 52.
What command is used to view the statistics of the DNS server?
Get-DnsServerStatistics
What groups, by default, have permissions to manage DNS?
- Domain Admins
- Enterprise Admins
- DNS Admins
DNS permissions may be granted at either the server or zone level. True or False?
True.
The option of “-ReplicationScope Domain” when creating a primary zone implies DNS integration with AD. True or False?
True.
When using PowerShell to create an A record, what option creates an additional record in the corresponding reverse lookup zone?
-CreatePtr
Regarding the Preference value of an MX record, the lower the number is, the higher the priority is. True or False?
True.
Scavenging can be set and activated for a zone via PowerShell commands. True or False?
True
