DNS

Question 1

Which table forces the DNS client service to use DNSSEC validation of DNS responses for the namespaces that you specify?

Answer 1

Name Resolution Policy Table (NRPT)

Question 2

How must you configure a member server with the DNS server in a domain with DNS server role loaded to support Active Directory zones?

Answer 2

Make the server a domain controller.

Question 3

How can you make a static DNS record eligible for scavenging

Answer 3

Check the:

Delete this record when it becomes stale

checkbox on the properties of the record

Question 4

Which cmdlet would enable support for GlobalNames zone on a DNS?

Answer 4

Set-DnsServerGlobalNameZone -Enable $true

Question 5

What type of DNS zone is a complete copy of all the records in the parent zone?

Answer 5

A secondary zone.

Question 6

According to Microsoft; what is the best available solution that helps protects from security threats against DNS such as man-in-the middle, spoofing and cache-poisoning attachks?

Answer 6

DNS Security Extentions (DNSSEC)

Question 7

What is DNS cache locking?

Answer 7

Cache locking, when enabled prevents records from being overwritten for the duration of the time to live (TTL).

Cache locking was introduced to prevent cache poisoning.

Question 8

What is the DNS socket pool?

Answer 8

The socket pool allows the DNS server to use source port randomization when issuing DNS queries.

It is enabled by default.

Question 9

What does the secure cahche against pollution do?

Answer 9

Helps prevent the NS record from being overwritten.

Enabled by default.

Question 10

What is a conditinal forwarder?

Answer 10

A DNS conditional forwarder forwards only queries that meet specific criteria.

Question 11

What command should be used to enable DNS server analytical events?

Answer 11

tracelog,exe

Question 12

What cmdlet should yo run to change the name of a zone file

Answer 12

Set-DnsServerPrimaryZone -Name <fqdn> -ZoneFile <new></new></fqdn>

Question 13

What cmdlets should be run to optimize protections against DDoS attacks but still respond to queries?

Answer 13

1. Set-DnsServerRRL
2. Add-DnsServerResponseRateLimitExceptionList

Question 14

At a branch office, you do not want the local DNS server to perform queries for local clients aside from those for which it is authoritative. How could you address this objective?

Answer 14

You could configure the branch DNS server to use forwarding. Specify a DNS server elsewhere in the organization to which it forwards all queries it cannot satisfy locally.

Question 15

You want only to allow recursion by your DNS servers for queries received on the internal network and not from Internet-based clients. How could you address this requirement?

Answer 15

You could implement DNS policies. Specifically, you could create a recursion scope so that recursion is enabled when requested on a specific DNS server interface, or from a specific internal subnet. The following three Windows PowerShell commands would enable you to achieve your objective:

1. Set-DnsServerRecursionScope -Name . -EnableRecursion $False
2. Add-DnsServerRecursionScope -Name “InternalAdatumClients” -EnableRecursion $True
3. Add-DnsServerQueryResolutionPolicy -Name “RecursionControlPolicy” -Action ALLOW -ApplyOnRecursion -RecursionScope “InternalAdatumClients” -ServerInterfaceIP “EQ,10.24.60.254”

Question 16

Managers at A. Datum are concerned with security and your boss has asked that you implement DNSSEC to help to secure DNS. You know that DNSSEC relies on distributing the NRPT. How could you configure NRPT distribution easily?

Answer 16

The easiest way to distribute NRPT is to use a GPO. Edit the Default Domain GPO and navigate to Computer Configuration / Policies / Windows Settings / Name Resolution Policy. Create a rule containing the domain suffix you want to distribute for, and then enable both Enable DNSSEC in This Rule and Require DNS Clients to Check that the Name and Address Data Has Been Validated By the DNS Server.

Question 17

You have installed the DNS server role on a computer running Windows Server 2016. You now want to create zones on the server. You want to store the zone data in AD DS, but the option to store the zone in Active Directory is unavailable. Why might this be?

Answer 17

The option to store the zone in Active Directory is only available on DNS servers that also have the AD DS server role installed and configured.

Question 18

You want to be able to deploy an AD DS–integrated primary zone by using Windows PowerShell. What command should you use?

Answer 18

To deploy an AD DS–integrated primary zone on a DNS server, use the Add-Dns-ServerPrimaryZone cmdlet with the ReplicationScope parameter. For example: Add-DnsServerPrimaryZone -Name “Contoso.com” -ReplicationScope “Domain”

Question 19

A. Datum has just purchased the Contoso Pharmaceuticals company. Your users are frequently accessing server resources in Contoso’s network infrastructure. You need to configure DNS to support this change in circumstances. What two options do you have to more efficiently manage name resolution in this situation?

Answer 19

Consider implementing conditional forwarding or a stub zone. Both enable clients to more easily access the name servers for a foreign domain.

Question 20

Your network consists of many subnets distributed across the globe. You want to make a web server easily accessible from any location by using the same name. However, you want your users to be directed by DNS to a local web server. What feature of Windows Server 2016 would enable this?

Answer 20

Use DNS policies and DNS zone scopes to configure this behavior. You can create DNS client subnets and assign these subnets into DNS scopes. Next, you create DNS resource records in the zone scopes. Finally, you would use a DNS policy to determine which records are returned to a DNS client, based on the originating subnet.