MemberOctober 3, 2020 at 10:59 pm
A Network Engineer has been tasked to protect the company’s publicly accessible online customer portal and to secure the clients’ sensitive financial information. Hackers must be prevented from intercepting DNS queries and from replacing the actual IP addresses of the website with unauthorized IP addresses in the DNS resolvers. The solution should protect the users from being routed to the IP addresses provided by the attackers in the spoofed response that could potentially direct them to fake or phishing websites.
What should the Engineer do to satisfy this requirement?
That’s why the correct answer here is wrong?
AdministratorOctober 4, 2020 at 7:36 amHi,
Thank you for posting your question. Route 53 provides two functions:
1. Domain registration
2. DNS Service
DNSSEC is only supported for domain registration and not when you are using Route 53 as your DNS service. If you want to use DNSSEC with Route 53, you have to use another DNS Service provider or set up your own DNS BIND Server.
This is discussed in the provided explanation:
Amazon Route 53 supports DNSSEC for domain registration. However, Route 53 does not support DNSSEC for DNS service, regardless of whether the domain is registered with Route 53. If you want to configure DNSSEC for a domain that is registered with Route 53, you must either use another DNS service provider or set up your own DNS server.
This is supported by the AWS documentation:
I understand that the answer didn’t mention anything about launching your own DNS server. I’ll revise this to: “Set up your own DNS server and enable Domain Name System Security Extensions (DNSSEC) in Amazon Route 53.” to avoid any issues.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Jon Bonso @ Tutorials Dojo
AdministratorOctober 7, 2020 at 1:21 pm
As an additional reference, here’s how the DNSSEC feature looks like in Route 53:
Log in to reply.