Examice

Exam ANS-C01 All QuestionsBrowse all questions from this exam

Question 107

A company is establishing connectivity between its on-premises site and an existing VPC on AWS to meet a new security requirement. According to the new requirement, all public DNS queries must use an on-premises DNS security solution. The company's security team has allowed an exception for the AWS service endpoints because the company is using VPC endpoints to access AWS services.

Which combination of steps should a network engineer take to configure the architecture to meet these requirements? (Choose three.)

Create a system rule for the domain name “.” (dot) with a target IP address of the on-premises DNS security solution.

Create a new DHCP options set that provides the IP address of the on-premises DNS security solution. Update the VPC to use this new DHCP options set.

Create an Amazon Route 53 Resolver inbound endpoint. Associate this endpoint with the VPC.

Create an Amazon Route 53 Resolver outbound endpoint. Associate this endpoint with the VPC.

Create a system rule for the domain name amazonaws.com.

Create a forwarding rule for the domain name “.” (dot) with a target IP address of the on-premises DNS security solution.

Correct Answer: B, E, F

To configure the architecture to meet the specified requirements, the network engineer should take the following steps. First, create a new DHCP options set that provides the IP address of the on-premises DNS security solution and update the VPC to use this new DHCP options set. This ensures that all DNS queries are directed to the on-premises solution by default. Next, create a system rule for the domain name 'amazonaws.com' to handle exceptions for AWS service endpoints, ensuring that these queries do not go through the on-premises DNS. Finally, create a forwarding rule for the domain name '.' (dot) with a target IP address of the on-premises DNS security solution to ensure that all public DNS queries use the on-premises DNS security solution.

Discussion

BalasmaniamOptions: DEF

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html#resolver-overview-forward-vpc-to-network-autodefined-rules

bluzOptions: CDF

"According to the new requirement, all public DNS queries must use an on-premises DNS security solution." - amazonaws.com is a public domain. "the company is using VPC endpoints to access AWS services." - inbound endpoint. We don't need need System Rule because "The dot rule applies to all domain names except some AWS internal domain names and record names in private hosted zones." https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html#resolver-overview-forward-vpc-to-network-domain-name-matches

Blitz1

very good. From the the same article: "If you create a conditional forwarding rule for "." (dot) or "com", we recommend that you also create a system rule for amazonaws.com. (System rules cause Resolver to locally resolve DNS queries for specific domains and subdomains.) Creating this system rule improves performance, reduces the number of queries that are forwarded to your network, and reduces Resolver charges."

RVDOptions: DEF

Ans: DEF

papercuts23

i think it is D E F

Tofu13Options: DEF

D -Create an outbound endpoint to be able to send queries from the VPC to the on-prem DNS solution F - Forward all (=".") queries over the outbound endpoint to the on-prem solution E - Only make an exception for AWS service endpoints.

[Removed]Options: BDF

Do you think the system rule for the domain name amazonaws.com would only apply to queries for that specific domain name. It would not apply to other public DNS queries. I think BDF is correct...

[Removed]

edit DEF is correct Creating this system rule improves performance, reduces the number of queries that are forwarded to your network and is recommended when you create a conditional forwarding rule for “.” (dot) or “com” https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html