Comptia Security Plus Mock Test Q48

A network administrator wants to block both DNS requests and zone transfers coming from outside IP addresses. The company uses a firewall which implements an implicit allow and is currently configured with the following ACL applied to its external interface.
PERMIT TCP ANY ANY 80
PERMIT TCP ANY ANY 443
Which of the following rules would accomplish this task? (Select TWO).

A. Change the firewall default settings so that it implements an implicit deny
B. Apply the current ACL to all interfaces of the firewall
C. Remove the current ACL
D. Add the following ACL at the top of the current ACL
DENY TCP ANY ANY 53
E. Add the following ACL at the bottom of the current ACL
DENY ICMP ANY ANY 53
F. Add the following ACL at the bottom of the current ACL
DENY IP ANY ANY 53

Correct Answer: A,F
Section: Network Security

Explanation:
Implicit deny is the default security stance that says if you aren’t specifically granted access or privileges for a resource, you’re denied access by default. Implicit deny is the default response when an explicit allow or deny isn’t present.
DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. These are zone file exchanges between DNS servers, special manual queries, or used when a response exceeds 512 bytes. UDP port 53 is used for most typical DNS queries.

Incorrect Answers:
B: Applying the current ACL to all interfaces of the firewall, and adding a deny clause will also prevent internal users from performing the actions included in the deny clause.

C: Removing the current ACL will block web traffic coming in.

D: An implicit deny clause is implied at the end of each ACL.

E: ICMP is a network health and link-testing protocol, and is not related to the question.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 26, 44