Q26 — AWS ANS-C01 Ch.1

Question 26 of 100 | ← Chapter 1

A company is planning to host a secure web application across multiple Amazon EC2 instances. The application will have an associated DNS Domain in an Amazon Route 53 hosted zone. The company wants to protect the domain from DNS poisoning attacks. The company also wants to allow web browsers to authenticate into the application by using a trusted third party. Which combination of actions will meet these requirements?

Correct Answer: C. Configure the Route 53 hosted zone to use DNS Security Extensions (DNSSEC). Install X.509 certificates that are signed by a public certificate authority on the EC2 instances.

Explanation

该题目涉及DNS安全扩展(DNSSEC)和公共证书颁发机构(CA)的X.509证书。Amazon Route 53支持DNSSEC以防范DNS缓存投毒攻击,通过为DNS记录提供数字签名验证机制(来源:AWS文档)。防止DNS投毒需要启用DNSSEC,而非NAPTR记录(用于URI映射,与DNS安全无关)。浏览器信任的第三方认证需使用公共CA签发的证书,而非自签名证书。选项C中的DNSSEC配置确保DNS数据完整性,公共CA证书确保客户端安全认证。选项A的自签名证书不被浏览器默认信任,选项B和D的NAPTR记录无法防范DNS投毒。