The correct answer is to increase the message-length maximum under the DNS map. This is because Cisco ASA and Firepower devices use DNS inspection to enforce a default 512-byte limit on DNS responses, as specified in RFC 1035, and any response exceeding this size is dropped. To allow larger DNS responses—such as those using EDNS0, which can reach 4096 bytes or more—you must configure a DNS map with a higher message-length maximum, enabling the firewall to reassemble and forward these packets without dropping them. On the Cisco SCOR 350-701 exam, this concept tests your understanding of application layer inspection and how to bypass default security restrictions for legitimate traffic. A common trap is confusing this with simply disabling DNS inspection entirely, which would weaken security; instead, the map provides granular control. Memory tip: think of the DNS map as a “gatekeeper” with a 512-byte gate—raise the gate height under the map to let the bigger responses through.
350-701 Security Concepts Practice Question
This 350-701 practice question tests your understanding of security concepts. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
show running-config | section policy-map
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rpc
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect sip
inspect pptp
inspect icmp
inspect icmp error
inspect ip-options
class class-default
set connection advanced-options UMBC_Inside
Refer to the exhibit. An administrator notices that DNS responses larger than 512 bytes are being dropped. Which configuration change should be made to allow larger DNS responses?
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Increase the message-length maximum under the DNS map
The correct answer is D because DNS inspection on Cisco ASA/Firepower devices uses a DNS map to enforce a default maximum message length of 512 bytes, which aligns with the original DNS specification (RFC 1035). To allow larger DNS responses (e.g., those using EDNS0, which can exceed 512 bytes), you must increase the message-length maximum under the DNS map. This change permits the firewall to reassemble and forward DNS packets that exceed the default limit without dropping them.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
Remove the DNS inspection policy
Why it's wrong here
Removing inspection would disable all DNS inspection, which may be undesirable.
✗
Add an access-list to permit the traffic
Why it's wrong here
Access-lists control traffic flow but do not affect DNS inspection limits.
✗
Disable the set connection advanced-options command
Why it's wrong here
Advanced connection options are unrelated to DNS message length.
✓
Increase the message-length maximum under the DNS map
Why this is correct
Raising the limit (e.g., to 4096) allows larger DNS responses.
Related concept
Read the scenario before looking for a memorised answer.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the misconception that ACLs or removing inspection policies are the solution for application-layer drops, when in fact the issue is a specific inspection parameter (DNS message-length) that must be tuned via a DNS map.
Detailed technical explanation
How to think about this question
Under the hood, the DNS inspection engine on Cisco ASA/Firepower performs deep packet inspection (DPI) on DNS traffic, and by default it enforces the 512-byte limit from RFC 1035 to prevent fragmentation attacks. When EDNS0 (RFC 6891) is used, DNS responses can be up to 4096 bytes or more; the 'message-length maximum' command under the DNS map overrides this default, allowing the firewall to reassemble and forward larger UDP DNS packets. In real-world scenarios, failing to adjust this setting can cause DNS resolution failures for services that rely on larger responses, such as DNSSEC or IPv6 AAAA records with large RRSIG sets.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Security Concepts — This question tests Security Concepts — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Increase the message-length maximum under the DNS map — The correct answer is D because DNS inspection on Cisco ASA/Firepower devices uses a DNS map to enforce a default maximum message length of 512 bytes, which aligns with the original DNS specification (RFC 1035). To allow larger DNS responses (e.g., those using EDNS0, which can exceed 512 bytes), you must increase the message-length maximum under the DNS map. This change permits the firewall to reassemble and forward DNS packets that exceed the default limit without dropping them.
What should I do if I get this 350-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 350-701 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.