ANS-C01 Exam QuestionsBrowse all questions from this exam
Go to Exam

ANS-C01 Exam - Question 107

A company is establishing connectivity between its on-premises site and an existing VPC on AWS to meet a new security requirement. According to the new requirement, all public DNS queries must use an on-premises DNS security solution. The company's security team has allowed an exception for the AWS service endpoints because the company is using VPC endpoints to access AWS services.

Which combination of steps should a network engineer take to configure the architecture to meet these requirements? (Choose three.)

Show Answer
Correct Answer: BEF

To configure the architecture to meet the specified requirements, the network engineer should take the following steps. First, create a new DHCP options set that provides the IP address of the on-premises DNS security solution and update the VPC to use this new DHCP options set. This ensures that all DNS queries are directed to the on-premises solution by default. Next, create a system rule for the domain name 'amazonaws.com' to handle exceptions for AWS service endpoints, ensuring that these queries do not go through the on-premises DNS. Finally, create a forwarding rule for the domain name '.' (dot) with a target IP address of the on-premises DNS security solution to ensure that all public DNS queries use the on-premises DNS security solution.

Discussion

6 comments
Sign in to comment
BalasmaniamOptions: DEF
Jun 15, 2023

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html#resolver-overview-forward-vpc-to-network-autodefined-rules

RVDOptions: DEF
Jun 12, 2023

Ans: DEF

bluzOptions: CDF
Feb 28, 2024

"According to the new requirement, all public DNS queries must use an on-premises DNS security solution." - amazonaws.com is a public domain. "the company is using VPC endpoints to access AWS services." - inbound endpoint. We don't need need System Rule because "The dot rule applies to all domain names except some AWS internal domain names and record names in private hosted zones." https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html#resolver-overview-forward-vpc-to-network-domain-name-matches

Blitz1
Jul 15, 2024

very good. From the the same article: "If you create a conditional forwarding rule for "." (dot) or "com", we recommend that you also create a system rule for amazonaws.com. (System rules cause Resolver to locally resolve DNS queries for specific domains and subdomains.) Creating this system rule improves performance, reduces the number of queries that are forwarded to your network, and reduces Resolver charges."

papercuts23
Jun 10, 2023

i think it is D E F

[Removed]Options: BDF
Jul 17, 2023

Do you think the system rule for the domain name amazonaws.com would only apply to queries for that specific domain name. It would not apply to other public DNS queries. I think BDF is correct...

[Removed]
Jul 18, 2023

edit DEF is correct Creating this system rule improves performance, reduces the number of queries that are forwarded to your network and is recommended when you create a conditional forwarding rule for “.” (dot) or “com” https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html

Tofu13Options: DEF
Aug 31, 2023

D -Create an outbound endpoint to be able to send queries from the VPC to the on-prem DNS solution F - Forward all (=".") queries over the outbound endpoint to the on-prem solution E - Only make an exception for AWS service endpoints.