Question

Your network currently has a dedicated firewall protecting access to a web server. It is currently configured with the following two rules in the ACL along with an implicit allow rule at the end:

PERMIT TCP ANY ANY 443
PERMIT TCP ANY ANY 80
You have detected DNS requests and zone transfer requests coming through the firewall and you need to block them. Which of the following would meet this goal?
A) Add the following rule to the firewall: DENY TCP ALL ALL 53.
B) Add the following rule to the firewall: DENY UDP ALL ALL 53.
C) Add the following rule to the firewall: DENY TCP ALL ALL 25.
D) Add the following rule to the firewall: DENY IP ALL ALL 53.
E) Change the implicit allow rule to implicit deny.

Answer 1

To block DNS requests and zone transfers through the firewall, add a DENY IP ALL ALL 53 rule to its ACL, which will deny all traffic on port 53 for both TCP and UDP protocols.

Step-by-step explanation:

To block both DNS requests and zone transfer requests, which typically occur over both TCP and UDP port 53, the firewall ACL should be configured to deny all traffic over this port regardless of the protocol . The correct answer is to add the following rule to the firewall: DENY IP ALL ALL 53. This rule will deny all IP traffic on port 53, which includes both TCP and UDP traffic used for DNS.

DNS queries, including those for zone transfers, often use TCP when the response data size is too large for a UDP packet or for connection-oriented requirements of zone transfers (AXFR). Thus, a rule denying all IP traffic ensures that both protocols are covered. Remember, to apply firewall rules properly, this deny rule should be placed before the implicit allow rule in the list of rules used by the firewall.