Free CompTIA SecurityX / CASP+ CAS-005 Actual Exam Questions - Question 10 Discussion
A senior security engineer flags the following log file snippet as having likely facilitated an attacker’s
lateral movement in a recent breach:
qry_source: 19.27.214.22 TCP/53
qry_dest: 199.105.22.13 TCP/53
qry_type: AXFR
| in comptia.org
------------ directoryserver1 A 10.80.8.10
------------directoryserver2 A 10.80.8.11
------------ directoryserver3 A 10.80.8.12
------------ internal-dns A 10.80.9.1
----------- www-int A 10.80.9.3
------------ fshare A 10.80.9.4
------------ sip A 10.80.9.5
------------ msn-crit-apcs A 10.81.22.33
Which of the following solutions, if implemented, would mitigate the risk of this issue reoccurring?
Actually, just blocking UDP/53 (B) wouldn’t help much since zone transfers use TCP/53 as shown here. So B can be ruled out because it wouldn’t stop this kind of attack.
A imo, because disabling zone transfers outright stops the attacker from pulling the entire DNS info regardless of where they query from, making it a stronger fix than just restricting clients.
It’s D because limiting who can query the DNS stops outsiders from even starting zone transfers, adding a strong layer of defense beyond just disabling transfers.
Makes sense to me that disabling zone transfers (A) stops attackers from grabbing the full DNS info, which is what’s happening here. Restricting clients (D) helps but won’t fully stop zone transfers if they’re enabled. A
Maybe A makes sense since zone transfers shouldn’t be allowed from outside IPs. Also, B is wrong because AXFR uses TCP, so blocking UDP won’t help much.
It’s A, zone transfers shouldn’t be open to outside attackers.