An analyst sees repeated attempts to poison name resolution entries for critical internal hosts. The environment has DNSSEC enabled, but these attempts continue. Which measure best verifies zone data to ensure tamper resistance?
Isolate external queries in a separate VLAN
Route inbound queries to a sinkhole
Use IP-level encryption for name resolution traffic
Signature-based validation uses cryptographic checks to confirm that zone records are intact. This ensures that malicious modifications can be identified if they occur. Routing queries to a sinkhole helps counter suspicious traffic but does not confirm data authenticity. Encrypting responses protects data in transit yet does not validate the integrity of zone information. Segmenting traffic on a separate VLAN can limit potential breaches, but it does not prove the records are reliable.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DNSSEC and how does it work?
Open an interactive chat with Bash
How does signature-based validation ensure tamper resistance?