Question 404 of 500
Security ConceptshardMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is to increase the message-length maximum under the DNS map. This is because Cisco ASA and Firepower devices use DNS inspection to enforce a default 512-byte limit on DNS responses, as specified in RFC 1035, and any response exceeding this size is dropped. To allow larger DNS responses—such as those using EDNS0, which can reach 4096 bytes or more—you must configure a DNS map with a higher message-length maximum, enabling the firewall to reassemble and forward these packets without dropping them. On the Cisco SCOR 350-701 exam, this concept tests your understanding of application layer inspection and how to bypass default security restrictions for legitimate traffic. A common trap is confusing this with simply disabling DNS inspection entirely, which would weaken security; instead, the map provides granular control. Memory tip: think of the DNS map as a “gatekeeper” with a 512-byte gate—raise the gate height under the map to let the bigger responses through.

350-701 Security Concepts Practice Question

This 350-701 practice question tests your understanding of security concepts. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

show running-config | section policy-map
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rpc
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect sip
  inspect pptp
  inspect icmp
  inspect icmp error
  inspect ip-options
 class class-default
  set connection advanced-options UMBC_Inside

Refer to the exhibit. An administrator notices that DNS responses larger than 512 bytes are being dropped. Which configuration change should be made to allow larger DNS responses?

Question 1hardmultiple choice
Read the full DNS explanation →

Exhibit

show running-config | section policy-map
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rpc
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect sip
  inspect pptp
  inspect icmp
  inspect icmp error
  inspect ip-options
 class class-default
  set connection advanced-options UMBC_Inside

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Increase the message-length maximum under the DNS map

The correct answer is D because DNS inspection on Cisco ASA/Firepower devices uses a DNS map to enforce a default maximum message length of 512 bytes, which aligns with the original DNS specification (RFC 1035). To allow larger DNS responses (e.g., those using EDNS0, which can exceed 512 bytes), you must increase the message-length maximum under the DNS map. This change permits the firewall to reassemble and forward DNS packets that exceed the default limit without dropping them.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Remove the DNS inspection policy

    Why it's wrong here

    Removing inspection would disable all DNS inspection, which may be undesirable.

  • Add an access-list to permit the traffic

    Why it's wrong here

    Access-lists control traffic flow but do not affect DNS inspection limits.

  • Disable the set connection advanced-options command

    Why it's wrong here

    Advanced connection options are unrelated to DNS message length.

  • Increase the message-length maximum under the DNS map

    Why this is correct

    Raising the limit (e.g., to 4096) allows larger DNS responses.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the misconception that ACLs or removing inspection policies are the solution for application-layer drops, when in fact the issue is a specific inspection parameter (DNS message-length) that must be tuned via a DNS map.

Detailed technical explanation

How to think about this question

Under the hood, the DNS inspection engine on Cisco ASA/Firepower performs deep packet inspection (DPI) on DNS traffic, and by default it enforces the 512-byte limit from RFC 1035 to prevent fragmentation attacks. When EDNS0 (RFC 6891) is used, DNS responses can be up to 4096 bytes or more; the 'message-length maximum' command under the DNS map overrides this default, allowing the firewall to reassemble and forward larger UDP DNS packets. In real-world scenarios, failing to adjust this setting can cause DNS resolution failures for services that rely on larger responses, such as DNSSEC or IPv6 AAAA records with large RRSIG sets.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 350-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 350-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 350-701 question test?

Security Concepts — This question tests Security Concepts — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Increase the message-length maximum under the DNS map — The correct answer is D because DNS inspection on Cisco ASA/Firepower devices uses a DNS map to enforce a default maximum message length of 512 bytes, which aligns with the original DNS specification (RFC 1035). To allow larger DNS responses (e.g., those using EDNS0, which can exceed 512 bytes), you must increase the message-length maximum under the DNS map. This change permits the firewall to reassemble and forward DNS packets that exceed the default limit without dropping them.

What should I do if I get this 350-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 25, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 350-701 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-701 exam.