Refer to the exhibit. A security analyst notices that users on the INSIDE network (10.1.1.0/24) can browse HTTPS websites but cannot resolve domain names. What is the most likely cause?
The DNS request to an external server is denied because the ACL only allows UDP to 10.2.2.10.
Why this answer
The exhibit shows an ACL that permits DNS traffic (UDP port 53) only to host 10.2.2.10. Since users can browse HTTPS (TCP/443) but cannot resolve domain names, the ACL is blocking DNS queries to any other DNS server. Option B correctly identifies that the ACL restricts DNS to a single server, and if users are configured to query a different DNS server, resolution fails.
How to eliminate wrong answers
Option A is wrong because the ACL permits TCP traffic to port 443 (HTTPS), as evidenced by users successfully browsing HTTPS websites. Option C is wrong because if the DNS server at 10.2.2.10 were unreachable, users would not be able to resolve names at all, but the issue is that users are configured to query a different DNS server, not 10.2.2.10. Option D is wrong because the security-level configuration on the OUTSIDE interface affects traffic direction and stateful inspection, not DNS resolution; the problem is specifically an ACL filtering issue.