DNS 4

Question 1

What command can be used to view all the scopes within a zone (example.com)

Answer 1

Get-DnsServerZoneScope -ZoneName “example.com”

Question 2

What two commands can be used to query a DNS server for name resolution even if the information is locally cached on the client?

Answer 2

nslookup and Resolve-DnsName.

Question 3

What command can be used to add DNS server policies?

Answer 3

Add-DnsServerQueryResolutinPolicy

Question 4

The processing order of the policy determines when it will be checked, compared to the other existing policies. True or False?

Answer 4

True.

Question 5

Which policy action would cause a client to time-out waiting for a DNS response?

Answer 5

Ignore.

Question 6

What tab in the DNS Server properties contains the option for configuring automatic testing of the DNS Server?

Answer 6

Monitoring.

Question 7

What tab in the DNS Server properties contains the option for configuring recursion?

Answer 7

Advanced.

Question 8

What tab in the DNS Server properties contains the option for configuring which events are to be logged?

Answer 8

Event Logging.

Question 9

What is the most probable reason why we would NOT want to leave debugging on all the time?

Answer 9

Overhead on the server.

Question 10

When analyzing the DNS server, what two resources are priotritized first for any bottlenecks/issues?

Answer 10

Memory and CPU usage.

Question 11

What sequence is used to highlight a counter in Performance Monitor?

Answer 11

Ctrl+h.

Question 12

Server Manager can be used to both set and see alarm thresholds for DNS server’s memory and CPU. True or False?

Answer 12

True.

Question 13

What is DNS Scavenging?

Answer 13

When properly configured, DNS Scavenging automically removes records that haven’t been updated in a while.

Question 14

Which tab of the zone properties is used to set the aging/scavenging properties for a zone?

Answer 14

General.

Question 15

What is the default No-refresh interval?

Answer 15

7 days.

Question 16

Only at the end of the “Refresh interval”, does a record become eligible for scavenging. True or False?

Answer 16

True.

Question 17

How do you enable scavenging to take place automatically?

Answer 17

1. R-click on the zone/server > Properties > Advanced tab

2. Check the box that says, “Enable automatic scavenging of stale records”.

Question 18

Computers, by default, are looking to see if a certificate is signed by a “specific” Certification Authority from their list of trusted CAs. True or False?

Answer 18

False. Computers are looking to see if the certificate is signed by ANY CAs on their trusted list.

Question 19

What is DANE?

Answer 19

The DNS-based Authentication of Named Entities provides an extra step of association by using a TLSA record to provide information to DNS clients that state what CA they should expect a certificate from for your domain name. This prevents man-in-the-middle attacks where someone might corrupt the DNS cache to point to their own website, and provide a certificate they issued from a different CA.

Question 20

What are the three fields found in a TLSA record?

Answer 20

The certificate usage field, selector field, and matching type field.

Question 21

What are the different values that can be found in the certificate usage field of a TLSA record?

Answer 21

0 = PKIX-TA (Certificate Authority Constraint; Only accept defined certificate authorities)

1 = PKIX-EE (Service Certificate Contraint; Only accept defined certificates)

2 = DANE-TA (Trust Anchor Assertion; Only use validated trust anchors)

3 = DANE-EE (Domain Issued Certificate;Disables trust hierarchy inspection so that the client only has to trust the referenced certificate in the TLSA record)

Question 22

What are the different values that can be found in the selector field of a TLSA record?

Answer 22

0 = Certificate
1 = SPKI (Public Key)

Question 23

What are the different values that can be found in the matching type field of a TLSA record?

Answer 23

0 = Full (exact match)
1 = SHA2 256
2 = SHA2 512

Question 24

In what field is the hash of a TLSA record located in?

Answer 24

The Certificate Association Data field.

Question 25

A TLSA record can be created in both DNS Manager and in PowerShell. True or False?

Answer 25

False. TLSA records can be created in PowerShell but not DNS Manager.

Question 26

When a TLSA record has been created, an associated DNSSEC record will also be created. True or False?

Answer 26

True.

Question 27

What is the record type associated with a TLSA record?

Answer 27

Type 52.

Question 28

What command is used to view the statistics of the DNS server?

Answer 28

Get-DnsServerStatistics

Question 29

What groups, by default, have permissions to manage DNS?

Answer 29

1. Domain Admins
2. Enterprise Admins
3. DNS Admins

Question 30

DNS permissions may be granted at either the server or zone level. True or False?

Answer 30

True.

Question 31

The option of “-ReplicationScope Domain” when creating a primary zone implies DNS integration with AD. True or False?

Answer 31

True.

Question 32

When using PowerShell to create an A record, what option creates an additional record in the corresponding reverse lookup zone?

Answer 32

-CreatePtr

Question 33

Regarding the Preference value of an MX record, the lower the number is, the higher the priority is. True or False?

Answer 33

True.

Question 34

Scavenging can be set and activated for a zone via PowerShell commands. True or False?

Answer 34

True