Exam SY0-701 topic 1 question 4 discussion

The correct ACL (Access Control List) to accomplish the goal of limiting outbound DNS traffic originating from the internal network to only one device with the IP address 10.50.10.25 would be option D: Copy code Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53 This configuration allows outbound DNS requests from the specific IP address 10.50.10.25 and denies outbound DNS requests from any other IP address.

Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53

Permit 10.50.10.25/32 0.0.0.0/0 port 53: This rule allows outbound DNS requests from the device with the IP address 10.50.10.25. Deny 0.0.0.0/0 0.0.0.0/0 port 53: This rule denies all other outbound DNS requests from any other devices on any IP address. This combination ensures that only the specific device with IP address 10.50.10.25 can send outbound DNS requests, effectively limiting the outbound DNS traffic as desired. Source: https://docs.google.com/document/d/15AgfSOKqg-51pM8O9zp08DHXIrLlXw6Ir4ae_m0WkTY

Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53

The line  permit 10.50.10.25/32 0.0.0.0/0 port 53  allows DNS traffic only from the specified device (10.50.10.25) to any destination. The line  deny 0.0.0.0/0 0.0.0.0/0 port 53  blocks all other DNS traffic from any other device in the internal network. So answer D for 100% sure!

Permit 10.50.10.25/32 0.0.0.0/0 port 53: This rule allows outbound DNS requests from the device with the IP address 10.50.10.25. Deny 0.0.0.0/0 0.0.0.0/0 port 53: This rule denies all other outbound DNS requests from any other devices on any IP address. This combination ensures that only the specific device with IP address 10.50.10.25 can send outbound DNS requests, effectively limiting the outbound DNS traffic as desired.

This configuration allows outbound DNS requests from the specific IP address 10.50.10.25 and denies outbound DNS requests from any other IP address.

The correct firewall ACL configuration that will allow only the device with IP address 10.50.10.25 to send outbound DNS traffic while blocking all other devices is: D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port** Explanation: - The first line allows outbound DNS requests (port 53) only from the device with IP address 10.50.10.25. - The second line denies all other outbound DNS traffic from any other IP address. This achieves the goal of limiting DNS traffic to a single device.

C: this option first allows all DNS traffic and then attempts to block traffic to 10.50.10.25, which is not the target.

C is wrong. The statement would allow outbound DNS traffic from any IP and deny outbound traffic from IP 10.50.10.25 which is the opposite of what it asks for. Correct answer is D

D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53 Here’s the reasoning: • The first line Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 allows DNS traffic (port 53) from the specific IP address 10.50.10.25 to any destination. • The second line Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53 denies DNS traffic (port 53) from any source to any destination, effectively blocking all other outbound DNS traffic.

D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53 because it only allow the device with the IP address 10.50.10.25 to send outbound DNS request on port 53, and denies all other devices from doing so

D is the correct answer. Even co-pilot and chatGPT think so too. C is not correct. Co-pilot: Absolutely, setting up Access Control Lists (ACLs) on your firewall is a good way to manage outbound DNS traffic. Here's an example of how you might configure the ACLs to meet your requirements: # Allow DNS requests from 10.50.10.25 access-list 100 permit udp host 10.50.10.25 any eq 53 access-list 100 permit tcp host 10.50.10.25 any eq 53 # Deny DNS requests from any other IP address access-list 100 deny udp any any eq 53 access-list 100 deny tcp any any eq 53

D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53** Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53

Correct answer is B as it allows outbound traffic for device with IP address 10:50.10.25/32 port 53. All other IP addresses are blocked on port 53 B. Access list outbound permit 0.0.0.0/0 10.50.10.25/32 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53

The goal is to allow outbound DNS requests only from the device with the IP address 10.50.10.25 and block all other outbound DNS requests. DNS typically uses port 53. A. - This rule allows all outbound traffic on port 53, and then specifically denies traffic from 10.50.10.25 on port 53. This would effectively block the allowed device, so it's incorrect. B. - This rule allows traffic to 10.50.10.25 on port 53, and then denies all outbound traffic on port 53. Since this is outbound DNS traffic control, the destination should not be 10.50.10.25, making this incorrect. C. - This rule allows all outbound traffic on port 53 and then denies traffic to 10.50.10.25 on port 53. This does not control outbound traffic from the specified IP, so it's incorrect. D. - This rule allows outbound traffic on port 53 only from the IP 10.50.10.25 and then denies all other outbound traffic on port 53. This is the correct configuration. Therefore, the correct firewall ACL to accomplish this goal is: D.

in Answer C it permits any IP and any subnet mask (0.0.0.0/0.0.0.0) According to the question allow only 10.50.10.25 so the answer should be D