HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You install and configure a web server and a DNS server on VM1.
VM1 has the effective network security rules shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1:
Rule2 blocks ports 50-60, which includes port 53, the DNS port. Internet users can reach to the Web server, since it uses port 80.
Box 2:
If Rule2 is removed internet users can reach the DNS server as well.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Processing stops once traffic matches a rule, as a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Wrong - if you remove Rule2, users can still only access HTTP as there is no other rule allowing UDP/53 (which is DNS). Only TCP/53 is then allowed but this is for DNS zone transfers not queries.
Yes, You are right: https://support.microsoft.com/en-ie/help/556000
DNS port 53 is listed as 'TCP/UDP' here https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports
Rule 2 says protocol - any, which means tcp and udp, so dns will work.
With port 3389 open, wouldnt you be able to connect to both? With port 53 being blocked the DNS services itself would be blocked, but connections to both would be allowed as RDP?
Web server only Both
I Think "cannot connect to the web server and the DNS server on VM1" is the correct anwer. Because the blocking rule 3. Web = 80 by default but also 443. You can connect to port 80 but rule3 will block the port 80 traffic back to the internet user. When the webserver use 443 the anwer is correct. I think it's a crappy question with to few information.
The answer is correct, if you delete rule1, both DNS port and internet will fall within rule2
I think you wanted to say other way. Rule 2 was stopping 50-60 which includes 53, so DNS was not available. But at the same time Rule 1which allowed Port 80 helped communicate to Webserver. So first answer(can connect to only web server on VM1) is right Now when we delete Rule 2, Rule 1 which is still there allows both Port 53(DNS can communicare on both UDP/TCP, so here the Rule 1 is allowing TCP) and Port 80(HTTP/WebServer on TCP). So first answer(can connect to only web server and DNS Server on VM1) is right
The answer is DNS is mostly UDP Port 53, but as time progresses, DNS will rely on TCP Port 53 more heavily. DNS has always been designed to use both UDP and TCP port 53 from the start1 , with UDP being the default, and fall back to using TCP when it is unable to communicate on UDP, typically when the packet size is too large to push through in a single UDP packet. So its depends how DNS configured .. DNS should work
Given answer is correct
I think that the question is not well asked. If we talk about connect to the server, whatever could be (DNS, Web . . .), you will do it amoung other options, through RDP port (3389), but if you are talking about available services, then you can talk about TCP/UDP 53 and HTTP 80 port. So it seems that this question is talking about services. As per Priorities, Rule2 has higher priority over DNS, but not for HTTP, so first answer is correct. If we remove Rule2, HTTP remain available, due to Rule1 include HTTP and also DNS, so second answer is correct. Which confuse me is Outbound Rule3. Even that anyone ask through HTTP port (I mean inbound port rules), nobody will answer through this port due to Rule3 on Outbound Port Rules. So keeping this in mind, correct answers should be: "cannot connect to the web server and DNS server on VM1" "can connect to only the DNS server on VM1" Anyone agree?
it is right !
This makes sense!
This question appeared me in AZ-104 exam
Rule 2 with lower priority which takes precedence was stopping 50-60 which includes 53, so DNS was not available. But at the same time Rule 1which allowed Port 80 helped communicate to Webserver. So first answer(can connect to only web server on VM1) is right Now when we delete Rule 2, Rule 1 which is still there allows both Port 53(DNS can communicare on both UDP/TCP, so here the Rule 1 is allowing TCP) and Port 80(HTTP/WebServer on TCP). So first answer(can connect to only web server and DNS Server on VM1) is right
Anybody see Rule3? Deny port 80 outbound
me too, not sure if internet users can access while having rule 3?!
Correct me if I'm wrong. The first box should be neither DNS nor HTTP. The first inbound rule stops DNS, that leaves us to check for HTTP. Inbound rule allows HTTP/S request in, now I now these rules are stateful, but there's an explicit deny in the outbound rule stopping port 80 going out - so the HTTP request will be denied, I think? The answer to the second box is fine. What do you think?
The outbound port 80 block is irrelevant. Response traffic to the inbound port 80 request will go out to the relevant random port number that the client used to make the request. This connection will be automatically enabled for the response when the inbound port 80 request is passed.
only look at the inbound rules*
Internet -----> VM1. Not the other way around. So you should only the inbound rules..
only look at the inbound rules*
rule 3 don't not change anything because it's for traffic initiating from inside.
The proposed answers are kind of misleading, as there is also MSRDP 3389/TCP reachable from the internet
its not asked if users can RDP to server. its only web and DNS
in Box 2, if I delete Rule2, DNS server uses port 53 and protocol UDP, how can users connect to the DNS server if there is denyallinbound rule set?
https://www.infoblox.com/dns-security-resource-center/dns-security-faq/is-dns-tcp-or-udp-port-53/ so DNS can use both UDP and TCP 53. that means only TCP 53 is enough answers are ok
Azure NSG is stateful, hence Apparently port 80 outbound denial, is "ignored" as port 80 is allowed inbound. https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Accordingly with this link from Microsoft, a client is able to use also TCP to query a DNS server: https://support.microsoft.com/en-us/help/556000#:~:text=DNS%20and%20some%20other%20services%20work%20on%20both%20the%20protocols.&text=DNS%20uses%20TCP%20for%20Zone,information%20larger%20than%20512%20bytes. "DNS uses TCP for Zone transfer and UDP for name queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes. If a client doesn't get response from DNS it must re-transmit the data using TCP after 3-5 seconds of interval." So the given answer is correct.
Given answer is correct. Look only at inbound rules. In first dropdown, Rule 2 is blocking DNS traffic, but otherwise web traffic will be allowed when it hit Rule 1. In second dropdown, after Rule 2 is deleted, both DNS and web traffic will be allowed by Rule 1.