Question 1,100 of 1,819
Network Services and SecurityhardTroubleshootingObjective-mapped

Quick Answer

The correct answer is to remove the faulty primary DNS server using the command no ip name-server 198.51.100.53, keeping only the working secondary server 203.0.113.53. This is the best fix because a DNS server returning SERVFAIL indicates a fundamental issue with that server’s ability to resolve the requested record, such as a missing zone or misconfiguration; leaving it in the list means the router will still attempt to query it first, causing intermittent failures or timeouts that degrade resolution for VLAN 10. On the CCNA 200-301 v2 exam, this scenario tests your understanding of how IOS-XE processes the ip name-server list sequentially—it will always try the first server before falling back, so a broken primary directly causes SERVFAIL errors. A common trap is to reorder the servers or add a static host entry, but these only mask the problem rather than eliminating the faulty source. Remember the mnemonic: “Remove the rot, don’t just rearrange the pot”—if a server consistently returns SERVFAIL, take it out of the configuration entirely.

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Network Topology
G0/0/010.0.0.1/30198.51.100.53linkG0/0/1.10192.168.10.1/24G0/0/1.20192.168.20.1/24R1DNS ServersVLAN 10VLAN 20

You are connected to R1, a multilayer switch acting as a DNS forwarder for two VLANs. Users on VLAN 10 report that they cannot resolve 'files.example.com' while VLAN 20 works fine. The DNS server 198.51.100.53 is reachable but returns SERVFAIL for queries from subnet 192.168.10.0/24, while server 203.0.113.53 responds correctly for both VLANs. Diagnose and fix the DNS resolution issue using nslookup and dig, then adjust the IOS-XE configuration to ensure proper name resolution. Choose the best fix that permanently resolves the problem.

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardTroubleshooting
Open the full VLAN trunking answer →

Exhibit

R1# show running-config | section ip domain
ip domain lookup
ip name-server 198.51.100.53 203.0.113.53
ip domain list example.com

R1# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   10.0.0.1        YES NVRAM  up                    up
GigabitEthernet0/0/1.10 192.168.10.1   YES NVRAM  up                    up
GigabitEthernet0/0/1.20 192.168.20.1   YES NVRAM  up                    up

R1# ping 198.51.100.53
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.51.100.53, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)

R1# nslookup files.example.com
Server:         198.51.100.53
Address:        198.51.100.53#53
** server can't find files.example.com: NXDOMAIN

R1# nslookup files.example.com 203.0.113.53
Server:         203.0.113.53
Address:        203.0.113.53#53
Name:   files.example.com
Address: 203.0.113.100

R1# dig @198.51.100.53 files.example.com A

; <<>> DiG 9.16.1 <<>> @198.51.100.53 files.example.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;files.example.com.             IN      A

;; Query time: 100 msec
;; SERVER: 198.51.100.53#53(198.51.100.53)
;; WHEN: Thu Jan 01 00:00:00 UTC 2024
;; MSG SIZE  rcvd: 42

R1# dig @203.0.113.53 files.example.com A

; <<>> DiG 9.16.1 <<>> @203.0.113.53 files.example.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54321
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;files.example.com.             IN      A

;; ANSWER SECTION:
files.example.com.      3600    IN      A       203.0.113.100

;; Query time: 50 msec
;; SERVER: 203.0.113.53#53(203.0.113.53)
;; WHEN: Thu Jan 01 00:00:00 UTC 2024
;; MSG SIZE  rcvd: 60

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Remove the faulty primary DNS server using 'no ip name-server 198.51.100.53' and keep the working secondary server 203.0.113.53.

The faulty DNS server 198.51.100.53 returns SERVFAIL for the A record query, indicating a misconfiguration or missing record on that server. Although reordering (Option C) would allow resolution to work by querying the functional server first, it is not the optimal fix because the broken server remains in the list and could still be used if the primary times out or for future queries. The best practice is to completely remove the faulty server using 'no ip name-server 198.51.100.53'. Option B adds a static entry that only helps one domain and does not address the root cause. Option D would make the router use only the broken server, worsening the problem.

Key principle: A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Remove the faulty primary DNS server using 'no ip name-server 198.51.100.53' and keep the working secondary server 203.0.113.53.

    Why this is correct

    This is correct because the primary DNS server returns SERVFAIL, indicating it cannot resolve the query. Removing it ensures that only the working server is used, allowing successful resolution for VLAN 10.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Access ports place end devices into a single VLAN.

  • Add a static DNS entry for 'files.example.com' using 'ip host files.example.com 10.0.0.1' on R1.

    Why it's wrong here

    This is incorrect because the issue is with the DNS server, not a missing static entry. Adding a static entry would bypass DNS but does not fix the underlying server problem and is not a scalable solution.

  • Change the DNS server order so that the working server is primary using 'ip name-server 203.0.113.53 198.51.100.53'.

    Why it's wrong here

    This is incorrect because simply reordering the servers does not fix the faulty server. The router will still query the primary server first, and if it returns SERVFAIL, the resolution fails. The faulty server should be removed entirely.

  • Configure the router to use only the faulty server by removing the working server with 'no ip name-server 203.0.113.53'.

    Why it's wrong here

    This is incorrect because it removes the only working DNS server, leaving only the faulty one, which would break resolution for all VLANs.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

Remove the faulty primary DNS server using 'no ip name-server 198.51.100.53' and keep the working secondary server 203.0.113.53.Correct answer

Why this is correct

This is correct because the primary DNS server returns SERVFAIL, indicating it cannot resolve the query. Removing it ensures that only the working server is used, allowing successful resolution for VLAN 10.

Add a static DNS entry for 'files.example.com' using 'ip host files.example.com 10.0.0.1' on R1.Wrong answer — click to see why

Why this is wrong here

The specific factual error: Static DNS entries are used for local hostname resolution, not for fixing a faulty DNS server. The problem is that the primary DNS server returns SERVFAIL, so the solution should address the server configuration.

Why candidates choose this

Candidates might think that adding a static entry is a quick fix for resolution failures, but this does not address the root cause and would not help with other domain queries.

Change the DNS server order so that the working server is primary using 'ip name-server 203.0.113.53 198.51.100.53'.Wrong answer — click to see why

Why this is wrong here

This only reorders the servers, keeping the broken server in the list. While it may work immediately, it is not the optimal fix because the faulty server remains and could be used if the primary fails or for other queries, and it does not remove the misconfigured source of delay or failure.

Why candidates choose this

Candidates may think that making the working server primary will solve the issue, but they overlook that the router still tries the faulty server first and may not fall back if the response is an error.

Configure the router to use only the faulty server by removing the working server with 'no ip name-server 203.0.113.53'.Wrong answer — click to see why

Why this is wrong here

The specific factual error: Removing the working server exacerbates the problem. The goal is to fix resolution, not break it further.

Why candidates choose this

Candidates might misinterpret the diagnostic output and think the faulty server is the correct one to keep, but this would cause complete resolution failure.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: an active trunk can still block the VLAN you need

A trunk being up does not prove every VLAN is crossing it. Check allowed VLAN lists, native VLAN mismatch, VLAN existence and access-port assignment.

Detailed technical explanation

How to think about this question

VLAN questions usually combine access-port and trunking clues. The key is to identify whether the issue is local to one switchport, caused by the trunk, or caused by the VLAN not existing where it needs to exist.

KKey Concepts to Remember

  • Access ports place end devices into a single VLAN.
  • Trunk ports carry multiple VLANs between switches.
  • Allowed VLAN lists decide which VLANs can cross a trunk.
  • Native VLAN mismatch can create confusing symptoms.

TExam Day Tips

  • Use show vlan brief to verify access VLANs.
  • Use show interfaces trunk to verify trunk state and allowed VLANs.
  • Do not treat every same-VLAN issue as a routing problem.

Key takeaway

A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related 200-301 questions on switching, trunking, and access-port configuration.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — Access ports place end devices into a single VLAN..

What is the correct answer to this question?

The correct answer is: Remove the faulty primary DNS server using 'no ip name-server 198.51.100.53' and keep the working secondary server 203.0.113.53. — The faulty DNS server 198.51.100.53 returns SERVFAIL for the A record query, indicating a misconfiguration or missing record on that server. Although reordering (Option C) would allow resolution to work by querying the functional server first, it is not the optimal fix because the broken server remains in the list and could still be used if the primary times out or for future queries. The best practice is to completely remove the faulty server using 'no ip name-server 198.51.100.53'. Option B adds a static entry that only helps one domain and does not address the root cause. Option D would make the router use only the broken server, worsening the problem.

What should I do if I get this 200-301 question wrong?

Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related 200-301 questions on switching, trunking, and access-port configuration.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Access ports place end devices into a single VLAN.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 6, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.