Your IDS application pages you at 3:00 a.m, and informed you that an attack occurred against your DNS server. You drive to the server site to investigate. You find no evidence of an attack, although the IDS application claims that a remote DNS server waged an attack on port 53 of your intranet DNS server. You check the logs and discover that a zone transfer has occurred. You check your zones and name resolution, and discover that all entries exist, and no unusual entries have been added to the database. What has most likely occurred?
A.
A DNS poisoning attack against your internal DNS server.
B.
A denial-of-service attack against your internal DNS server.
C.
A false positive generated by the IDS.
D.
A malfunction of the internal name server.
Explanation:
1D0-470IDS is Intrusion Detection System. All entries exist and nothing added. BUT – has anything changed? A poisoning attack is where DNS records are modified to point somewhere else (a different IP address) other than where it should be pointed.
Incorrect Answers:
B: Most DoS attacks are to disable the server and prevent access. Causing a single zone transfer will not do this. If the DNS server showed hundreds or thousands of zone transfers in a short period, then maybe a DoS attack. The IDS would identify other activities if a DoS was being attempted.
C: A false positive could always be a possibility, but if the zone transfer is suspicious, it requires more examination to rule out modifications to the zone, since we only checked to see if the records are there, we didn’t check to see if they were changed. Since a zone is usually transferred in a single shot, there is no tagging on individual records to determine when records were changed.
D: If the internal name server malfunctioned, there would be other indications in the log of a restart. Or, the DNS may fail and not even come up. A malfunction should not trip the IDS.