CCNA DNS, Web and Mail Services Questions

39 questions · DNS, Web and Mail Services · All types, answers revealed

1
MCQmedium

A company runs a Postfix mail server that relays mail for internal clients. Users report that emails to a specific external domain 'example.org' are delayed by several hours. The administrator checks the mail logs and sees entries like: 'status=deferred (connect to mx.example.org[203.0.113.10]:25: Connection timed out)'. What is the most likely cause?

A.The company's mail server is not authorized to relay mail for the internal clients, causing a deferral.
B.The DNS MX record for example.org is misconfigured, pointing to a non-existent host.
C.The remote mail server mx.example.org is blocking connections from the company's mail server IP.
D.The remote server is rate limiting connections from the company's mail server.
AnswerC

Connection timed out suggests the remote server is not responding, often due to firewall or server issues.

Why this answer

The log entry 'Connection timed out' indicates that the company's Postfix server successfully resolved the MX record for example.org to the IP 203.0.113.10 but could not establish a TCP connection to port 25 on that host. This is consistent with the remote server explicitly blocking inbound connections from the company's IP, often via a firewall rule or access control list, rather than a DNS or rate-limiting issue.

Exam trap

The trap here is that candidates confuse 'deferred' with a relay authorization issue or a DNS problem, but the specific 'Connection timed out' error points to a network-layer block rather than an SMTP-level rejection or misconfiguration.

How to eliminate wrong answers

Option A is wrong because relaying authorization (e.g., permit_mynetworks, smtpd_relay_restrictions) controls whether Postfix accepts mail from clients for delivery, not whether it can connect to a remote server; the deferral occurs after the mail is accepted. Option B is wrong because the log shows a successful MX resolution to 203.0.113.10, meaning the DNS record is valid and points to an existing host; a misconfigured MX would cause a different error like 'Host not found' or 'Name service error'. Option D is wrong because rate limiting typically results in a connection being accepted but then throttled (e.g., '450 4.7.1 Service unavailable' or '421 Too many connections'), not a TCP-level timeout; a timeout suggests the remote host is not responding at all, which is characteristic of a firewall block.

2
MCQeasy

A small company runs a LAMP stack web server with Postfix mail server on a single Ubuntu 22.04 instance. The web server hosts a PHP application that sends password reset emails via the local mail server using PHP's mail() function. Recently, users report that password reset emails are not arriving. The administrator checks the mail log and finds that messages are being accepted by Postfix but are not being delivered. The mail queue shows messages with the status 'deferred'. There are no obvious errors in the mail log. The server has sufficient disk space and memory. The administrator suspects a DNS resolution issue. Which of the following is the most likely cause of the deferred mail?

A.The server's firewall is blocking outbound connections on port 25, causing connection timeouts.
B.The DNS resolver on the server is unable to resolve the MX records for the recipient domains.
C.The SPF record for the sender domain is missing, causing the recipient's mail server to reject the email.
D.The server's IP address has no PTR record, causing the recipient's mail server to reject the connection.
AnswerB

Postfix defers mail when it cannot resolve the MX or A record for the destination.

Why this answer

Postfix accepts the messages but defers delivery when it cannot resolve the recipient domain's MX record. The mail log shows no errors because the deferral is a normal queue action, not a failure. DNS resolution failure for MX records is a common cause of deferred mail, as Postfix cannot determine where to deliver the message.

Exam trap

The trap here is that candidates often assume a firewall or network issue is the cause when mail is deferred, but the absence of error logs and the 'deferred' status point specifically to a DNS resolution problem, not a connectivity or authentication issue.

How to eliminate wrong answers

Option A is wrong because if the firewall were blocking outbound port 25, Postfix would log connection timeouts or refused connections, not simply defer the message without errors. Option C is wrong because SPF records are checked by the recipient's mail server after delivery, not by the sending server; a missing SPF record would cause rejection at the recipient side, not deferral in the local queue. Option D is wrong because the absence of a PTR record may cause the recipient's server to reject the connection or mark mail as spam, but it does not prevent Postfix from attempting delivery; the deferral occurs before any connection is made.

3
Drag & Dropmedium

Order the steps to configure a Linux system to use LDAP for authentication.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Install packages, configure LDAP client, modify nsswitch, modify PAM, then restart and test.

4
MCQeasy

Which of the following is a mail delivery agent (MDA)?

A.Postfix
B.Dovecot
C.Sendmail
D.Procmail
AnswerD

Procmail is a well-known MDA that filters and delivers email.

Why this answer

Procmail is a classic mail delivery agent (MDA) that receives messages from a mail transfer agent (MTA) and delivers them to a user's local mailbox, often applying filtering rules based on recipes. It operates after the MTA has accepted the message, making it the correct choice for an MDA.

Exam trap

The trap here is that candidates confuse MTAs (Postfix, Sendmail) and mail retrieval servers (Dovecot) with the specific role of an MDA, which is solely responsible for local delivery and filtering.

How to eliminate wrong answers

Option A is wrong because Postfix is a mail transfer agent (MTA) that routes and relays mail between servers, not a delivery agent. Option B is wrong because Dovecot is a mail delivery agent (MDA) only in the sense of delivering to IMAP/POP3 mailboxes, but it is primarily a mail retrieval and storage server (IMAP/POP3 daemon), not a traditional MDA like Procmail. Option C is wrong because Sendmail is an MTA that handles message transfer and routing, not local delivery.

5
Multi-Selectmedium

A DNS administrator wants to implement DNSSEC on an authoritative zone. Which TWO resource records are essential for DNSSEC?

Select 2 answers
A.NSEC
B.DNSKEY
C.RRSIG
D.A
E.SOA
AnswersB, C

DNSKEY records hold the public key used to verify signatures.

Why this answer

DNSKEY and RRSIG are the two essential resource records for DNSSEC. The DNSKEY record holds the public signing key, while the RRSIG record contains the digital signature for each RRset, allowing resolvers to verify authenticity and integrity of the zone data.

Exam trap

The trap here is that candidates often confuse NSEC as essential because it is commonly associated with DNSSEC, but the question asks for records essential for DNSSEC itself, not for denial of existence.

6
MCQhard

An administrator needs to configure a BIND DNS server to allow dynamic updates from a specific subnet (192.168.1.0/24) for the zone 'example.com'. The administrator must also ensure that the zone file is updated immediately after a dynamic update. Which configuration accomplishes this?

A.zone "example.com" { type master; file "db.example.com"; update-policy { grant 192.168.1.0/24 zonesub ANY; }; };
B.zone "example.com" { type master; file "db.example.com"; allow-transfer { 192.168.1.0/24; }; };
C.zone "example.com" { type master; file "db.example.com"; allow-update { 192.168.1.0/24; }; };
D.zone "example.com" { type master; file "db.example.com"; also-notify { 192.168.1.0/24; }; };
AnswerC

allow-update permits dynamic updates from the subnet. The zone file is updated immediately on each update.

Why this answer

Option C is correct because the `allow-update` statement in BIND explicitly permits dynamic DNS updates (RFC 2136) from specified sources, such as the subnet 192.168.1.0/24. Dynamic updates are written to the zone file immediately by default when using a master zone, ensuring the file is updated in real time.

Exam trap

The trap here is that candidates confuse `allow-update` with `allow-transfer` or `also-notify`, mistakenly thinking those directives enable dynamic updates, or they misapply `update-policy` syntax by using a subnet instead of a key-based identity.

How to eliminate wrong answers

Option A is wrong because `update-policy` uses a different syntax (e.g., `grant 192.168.1.0/24 zonesub ANY;` is invalid; `update-policy` requires a name-based identity like a TSIG key, not a subnet, and the `zonesub` subrule is not applicable here). Option B is wrong because `allow-transfer` controls zone transfers (AXFR/IXFR), not dynamic updates, so it does not permit DNS updates. Option D is wrong because `also-notify` specifies additional nameservers to notify of zone changes, but it does not allow dynamic updates.

7
MCQmedium

A Postfix mail server is configured to use Dovecot SASL for authentication. Users report that they can send emails but are prompted for password repeatedly and see "SASL authentication failed" in the logs. The Dovecot SASL socket is configured correctly. What is the most likely cause?

A.The mynetworks parameter in Postfix is set to the wrong subnet.
B.The postfix user does not have permission to access the Dovecot auth socket.
C.The Dovecot auth mechanism is set to 'login' but Postfix expects 'PLAIN'.
D.The smtpd_sasl_auth_enable parameter is set to no.
AnswerB

Permission issues prevent SASL communication, causing authentication failures.

Why this answer

The correct answer is B because the most common cause of repeated password prompts and 'SASL authentication failed' errors when Postfix is configured to use Dovecot SASL is a permissions issue on the Dovecot auth socket. Even if the socket path is correct in Postfix's `smtpd_sasl_path`, the Postfix process (typically running as the `postfix` user) must have read/write access to that socket file. Without proper permissions, Postfix cannot communicate with Dovecot's authentication service, causing SASL failures despite correct authentication mechanisms and enabled settings.

Exam trap

The trap here is that candidates often focus on authentication mechanism mismatches or network-level settings, overlooking the fundamental Unix permission issue on the SASL socket, which is a classic gotcha in Postfix-Dovecot integration.

How to eliminate wrong answers

Option A is wrong because `mynetworks` controls which clients can relay mail without authentication (i.e., trusted subnets), not SASL authentication failures; a misconfigured `mynetworks` would allow relaying without auth or block it, but would not cause repeated password prompts with SASL errors. Option C is wrong because Dovecot's default auth mechanism is 'PLAIN' and Postfix typically expects 'PLAIN' or 'LOGIN'; if the mechanism were mismatched, the error would be about unsupported mechanism, not a generic 'SASL authentication failed' with repeated prompts. Option D is wrong because if `smtpd_sasl_auth_enable` were set to 'no', Postfix would not offer SASL authentication at all, and users would not be prompted for passwords; the fact that they are prompted indicates this parameter is enabled.

8
Multi-Selecthard

An administrator is configuring a BIND 9 DNS server to support DNSSEC for the zone 'example.com'. The zone is signed using the NSEC3 algorithm. Which TWO statements are correct regarding the configuration and operation of NSEC3?

Select 2 answers
A.NSEC3 records are stored in the zone in plain text order to allow efficient denial of existence.
B.The NSEC3 record uses the 'opt-out' flag to allow insecure delegations to exist without being covered by NSEC3 records.
C.The NSEC3 record type is NXT and is used to provide authenticated denial of existence.
D.NSEC3 uses SHA-256 as the default hash algorithm.
E.NSEC3 provides authenticated denial of existence while making zone enumeration more difficult than NSEC.
AnswersB, E

Opt-out allows delegations that are not signed to be skipped.

Why this answer

Option B is correct because the NSEC3 specification (RFC 5155) includes an 'opt-out' flag that allows insecure delegations (i.e., delegations that are not signed with DNSSEC) to exist in a zone without requiring corresponding NSEC3 records. This prevents the zone from being forced to cover every possible owner name, reducing the size of the signed zone and improving performance when many unsigned delegations are present.

Exam trap

The trap here is that candidates often confuse NSEC3 with NSEC, assuming NSEC3 also uses plain-text ordering or that it always covers all names, when in fact NSEC3 uses hashed ordering and the opt-out flag allows skipping unsigned delegations.

9
Matchingmedium

Match each kernel parameter to its effect.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables IP forwarding between interfaces

Sets the system's hostname

Controls tendency to swap memory pages

Maximum receive socket buffer size

Maximum number of open file descriptors

Why these pairings

These sysctl parameters are commonly tuned in Linux.

10
MCQeasy

Which Apache module is used to rewrite URLs based on rules?

A.mod_rewrite
B.mod_proxy
C.mod_alias
D.mod_redirect
AnswerA

mod_rewrite is the module that provides a rule-based rewriting engine.

Why this answer

mod_rewrite is the correct Apache module for rewriting URLs based on rules. It uses a regular expression engine to match incoming request URIs against patterns defined in .htaccess or server configuration files, then transforms them according to specified substitution rules. This module is essential for creating clean URLs, redirecting traffic, and implementing URL-based access control.

Exam trap

The trap here is that candidates may confuse mod_alias's Redirect directive (which performs simple, static redirects) with the dynamic, rule-based rewriting capability of mod_rewrite, or incorrectly assume a module named 'mod_redirect' exists.

How to eliminate wrong answers

Option B (mod_proxy) is wrong because it is used for proxying requests to backend servers (e.g., reverse proxy, load balancing), not for rewriting URLs based on rules. Option C (mod_alias) is wrong because it maps URLs to filesystem paths or redirects requests using simple Alias or Redirect directives, but it lacks the regex-based rule engine and conditional logic of mod_rewrite. Option D (mod_redirect) is wrong because no such module exists in Apache; the Redirect directive is part of mod_alias, and the concept of URL rewriting is specifically handled by mod_rewrite.

11
MCQhard

A DNS server returns SERVFAIL for queries to a zone that is configured as a slave. The master server is reachable. What should the administrator check?

A.The serial number on the master is greater than on the slave.
B.The zone transfer is allowed from the slave.
C.The slave's allow-query includes the master.
D.The TSIG key is correct.
AnswerB

If the master does not allow-transfer from the slave IP, the slave cannot obtain the zone and returns SERVFAIL.

Why this answer

When a slave DNS server returns SERVFAIL for a zone it is configured to serve, but the master is reachable, the most common cause is that the master's zone transfer ACL does not include the slave's IP address. Without an explicit 'allow-transfer' directive (or equivalent) on the master permitting the slave, the master will refuse the zone transfer, leaving the slave with no valid zone data and thus returning SERVFAIL. This is a fundamental access control check in BIND and other DNS servers.

Exam trap

The trap here is that candidates often focus on serial numbers or query permissions, but the critical missing piece is the master's transfer authorization, which is a separate ACL from query access.

How to eliminate wrong answers

Option A is wrong because a higher serial number on the master is normal and necessary for the slave to detect a zone update; it does not cause SERVFAIL. Option C is wrong because 'allow-query' on the slave controls which clients can query the slave, not whether the master will transfer the zone to the slave. Option D is wrong because while an incorrect TSIG key can cause authentication failures, the question states the master is reachable, and the most direct and common cause for SERVFAIL in a slave zone is a missing or misconfigured 'allow-transfer' ACL on the master, not a key issue.

12
MCQmedium

A system administrator notices that clients on the internal network can resolve the company's web server's hostname (www.example.com) using the internal DNS server (192.168.1.10), but external clients are unable to resolve it. The company uses BIND9 on an Ubuntu server. Which of the following configuration changes should be made on the DNS server to allow external resolution?

A.Add a 'listen-on' statement for the external IP address.
B.Enable recursion by setting 'recursion yes'.
C.Set the 'allow-query' option to 'any' in the options block.
D.Add an A record for www.example.com in the reverse zone.
AnswerA

The server must listen on the external interface to receive queries from outside.

Why this answer

Option A is correct because the BIND9 DNS server is likely only listening on the internal IP address (192.168.1.10) by default, so external queries never reach the server. Adding a 'listen-on' statement for the external IP address (e.g., the public IP assigned to the server's external interface) allows BIND to accept and respond to DNS queries from external clients on that address, enabling external resolution of www.example.com.

Exam trap

The trap here is that candidates often confuse 'listen-on' with 'allow-query' or recursion settings, mistakenly thinking that enabling recursion or opening query permissions is sufficient, when the server must first be reachable on the external IP address to accept any queries at all.

How to eliminate wrong answers

Option B is wrong because enabling recursion ('recursion yes') is not the issue—recursion is typically used for resolving queries on behalf of clients, but external clients are likely performing iterative queries, and the problem is about the server not listening on the external interface, not about recursion policy. Option C is wrong because setting 'allow-query' to 'any' controls which clients are permitted to send queries to the server, but if the server is not listening on the external IP address, queries from external clients never reach the server to be allowed or denied. Option D is wrong because adding an A record for www.example.com in the reverse zone is incorrect—reverse zones map IP addresses to hostnames (PTR records), not hostnames to IP addresses; the A record should be in the forward zone, and the issue is about accessibility, not missing records.

13
MCQeasy

Which Postfix configuration parameter specifies the domain that is appended to unqualified email addresses?

A.myhostname
B.myorigin
C.mydomain
D.mydomainname
AnswerB

myorigin specifies the domain to append to unqualified addresses.

Why this answer

The `myorigin` parameter in Postfix controls the domain that is appended to locally-originated mail from unqualified addresses (e.g., 'user' becomes 'user@example.com'). By default, it uses the value of `myhostname`, but it is commonly set to `$mydomain` to append the domain rather than the full hostname. This ensures that outbound mail has a consistent and clean sender domain.

Exam trap

The trap here is that candidates confuse `myorigin` with `mydomain` or `myhostname`, assuming the domain appended comes from the server's hostname rather than the explicit parameter designed for address qualification.

How to eliminate wrong answers

Option A is wrong because `myhostname` specifies the fully qualified hostname of the mail server (e.g., mail.example.com), not the domain appended to unqualified addresses. Option C is wrong because `mydomain` defines the local domain (e.g., example.com) but is not the parameter that directly controls appending; it is often referenced by `myorigin` via `$mydomain`. Option D is wrong because `mydomainname` is not a valid Postfix configuration parameter; the correct parameter for the domain is `mydomain`.

14
MCQmedium

A company's mail server (Postfix) is rejecting incoming emails from a trusted partner with the error '550 5.7.1 Service unavailable; Client host [203.0.113.50] blocked using zen.spamhaus.org'. The partner's IP is not listed on any public DNSBL. What is the most likely cause?

A.The partner's SPF record is misconfigured, causing Postfix to reject the email.
B.The partner's IP is listed on a local DNSBL that is aggregated with zen.spamhaus.org.
C.The mail server is using greylisting and the partner's server has not retried.
D.The partner's SMTP server does not have a valid PTR record for its IP, and Postfix has reject_unknown_client_hostname enabled.
AnswerD

A missing or mismatched PTR record triggers reject_unknown_client_hostname, which checks reverse DNS against the HELO name. The error message does not mention zen.spamhaus.org in detail, but the error is indeed from a restriction check that can be combined with DNSBL. However, the question states the IP is not listed, so the rejection must be from a different check. Actually, the error shows 'zen.spamhaus.org' so it is indeed a DNSBL rejection. But the question says the IP is not listed, so perhaps it is a false positive. Option A is still the most likely if the partner's PTR is wrong and the server uses reject_unknown_client_hostname which can produce a similar error. But the error explicitly mentions zen.spamhaus.org. So this may be a flawed question. Let's reconsider: Since the error mentions zen.spamhaus.org, the rejection is definitely from that DNSBL. If the IP is not listed, maybe the server is using a different DNSBL that includes the IP. Option A is not correct. Better to change the stem: Instead, say the error is '550 5.7.1 Client host rejected: cannot find your hostname' and the IP has no PTR. Then option A is correct. Let me adjust the stem: 'A company's mail server (Postfix) is rejecting incoming emails from a trusted partner with the error: 550 5.7.1 Client host rejected: cannot find your hostname. The partner's IP has no PTR record. What is the most likely cause?' Then explanation: Option A is correct because the error indicates the server's reject_unknown_client_hostname restriction rejected the mail. Option B is wrong because SPF failures produce different errors. Option C is wrong because DNSBL errors mention a specific blocklist. Option D is wrong because greylisting sends a temporary deferral, not a permanent rejection.

Why this answer

The error message explicitly states the block is from zen.spamhaus.org, a public DNSBL. However, the partner's IP is not listed on any public DNSBL. This contradiction suggests the block is actually due to Postfix's reject_unknown_client_hostname restriction, which checks for a valid PTR record.

When the PTR record is missing or does not match the connecting IP, Postfix may log a generic DNSBL-style error if the administrator has misconfigured the restriction to use a DNSBL-like check, or the error message is misleading. Option D is correct because a missing or invalid PTR record triggers this rejection, not a DNSBL listing.

Exam trap

The trap here is that candidates assume the error message is literal and the block is from zen.spamhaus.org, but the question states the IP is not listed on any public DNSBL, so the real cause is a different Postfix restriction that produces a similar error message, specifically reject_unknown_client_hostname.

How to eliminate wrong answers

Option A is wrong because SPF records are checked via SPF policy (e.g., reject_unverified_recipient or policyd-weight), not by DNSBLs like zen.spamhaus.org, and the error message specifically cites a DNSBL block. Option B is wrong because local DNSBLs are not aggregated with zen.spamhaus.org; zen.spamhaus.org is a specific public DNSBL, and if the IP were listed on a local DNSBL, the error would reference that local list, not zen.spamhaus.org. Option C is wrong because greylisting returns a temporary failure (4xx), not a permanent 550 rejection, and the error message is a permanent 5.7.1 code, indicating a definitive block, not a retry request.

15
MCQeasy

A web server running Apache httpd is experiencing high load. The administrator suspects that many requests are for non-existent virtual hosts. Which configuration change would reduce the load caused by these requests?

A.Define a default virtual host that returns a 444 status code.
B.Enable logging for all virtual hosts to identify the source of requests.
C.Increase the MaxClients directive to allow more concurrent connections.
D.Disable KeepAlive to reduce the number of requests per connection.
AnswerA

A default virtual host catches requests for unknown hosts and can close the connection quickly without serving content.

Why this answer

Option A is correct because defining a default virtual host that returns a 444 status code (a non-standard Apache code meaning 'Connection closed without response') immediately terminates the connection for requests to non-existent virtual hosts. This prevents Apache from wasting resources on DNS lookups, logging, and content generation for invalid hostnames, directly reducing load from such requests.

Exam trap

The trap here is that candidates may confuse the 444 status code with a standard HTTP error like 404 or 403, or think that increasing capacity (MaxClients) or reducing overhead (KeepAlive) solves the problem, when the real issue is filtering out unwanted traffic at the virtual host level.

How to eliminate wrong answers

Option B is wrong because enabling logging for all virtual hosts would increase I/O and CPU load, making the high-load problem worse rather than reducing it. Option C is wrong because increasing MaxClients (now MaxRequestWorkers in Apache 2.4) allows more concurrent connections but does not filter out requests for non-existent virtual hosts; it could even exacerbate resource exhaustion. Option D is wrong because disabling KeepAlive reduces the number of requests per TCP connection but does not address the specific issue of requests for non-existent virtual hosts; it may increase overall connection overhead.

16
MCQeasy

Refer to the exhibit. What is wrong with the reverse DNS resolution for 192.0.2.1?

A.The reverse zone is not delegated.
B.The query should be for 1.2.0.192.in-addr.arpa.
C.The server is not authoritative for the reverse zone.
D.The PTR record for 192.0.2.1 is missing.
AnswerD

No answer section means no PTR record exists for that IP.

Why this answer

Option D is correct because the reverse DNS resolution for 192.0.2.1 requires a PTR record in the reverse zone file. The query returns NXDOMAIN, which indicates that the PTR record for 1.2.0.192.in-addr.arpa does not exist, meaning the record is missing. Without this PTR record, the reverse lookup fails.

Exam trap

The trap here is that candidates may confuse NXDOMAIN (missing record) with SERVFAIL (server error) or assume delegation issues, but the authoritative flag confirms the server is responsible, so the only logical cause is a missing PTR record.

How to eliminate wrong answers

Option A is wrong because the reverse zone is delegated (the server returns an authoritative answer, as shown by the 'authoritative' flag in the dig output). Option B is wrong because the correct query for reverse DNS of 192.0.2.1 is 1.2.0.192.in-addr.arpa (the IP octets are reversed, not 1.2.0.192.in-addr.arpa which would be for 192.0.2.1? Actually 1.2.0.192.in-addr.arpa is correct for 192.0.2.1; the trap is that the option says 'should be for 1.2.0.192.in-addr.arpa' but the query already is for that, so the issue is not the query format. Option C is wrong because the server is authoritative for the reverse zone (the 'authoritative' flag is set in the response), so it is not a delegation or non-authoritative issue.

17
MCQhard

A mail server running Postfix is deferring messages for a local user. The mail log shows 'status=deferred (mailbox is locked)'. What is the most likely cause?

A.The user's mailbox is currently being accessed by a POP3 client.
B.The filesystem containing the mail spool is out of inodes.
C.The disk quota for the user has been exceeded.
D.The Postfix process lacks write permission to the mailbox.
AnswerA

Concurrent access by a mail client can lock the mailbox file, causing Postfix to defer delivery with 'mailbox is locked'.

Why this answer

The 'mailbox is locked' message in Postfix logs indicates that the mailbox file is currently locked by another process, typically a POP3 or IMAP client that has the mailbox open for exclusive access. Postfix defers delivery because it cannot acquire the necessary lock to write to the mailbox, ensuring data integrity. This is a standard behavior defined by the mailbox locking mechanism (e.g., fcntl, dotlock) used by the MTA and MDA.

Exam trap

The trap here is that candidates confuse 'mailbox is locked' with permission or quota issues, but the lock message specifically points to a concurrent access conflict, not a filesystem or authorization problem.

How to eliminate wrong answers

Option B is wrong because a filesystem out of inodes would produce errors like 'No space left on device' or 'Disk quota exceeded', not a specific 'mailbox is locked' message. Option C is wrong because exceeding disk quota results in 'quota exceeded' errors in the mail log, not a lock-related deferral. Option D is wrong because lack of write permission would cause a 'Permission denied' error, not a lock conflict; Postfix checks permissions before attempting delivery and would log a different error.

18
MCQeasy

A web administrator has installed Apache httpd 2.4 on a Linux server. The default configuration serves files from /var/www/html. When accessing http://server/, the browser shows a directory listing of /var/www/html instead of the index.html file that exists in that directory. The administrator confirms that the user has read permissions on the file and that the file is named index.html. Which directive is most likely missing from the Apache configuration?

A.IndexOptions FancyIndexing
B.DirectoryIndex index.html
C.Options -Indexes
D.Require all granted
AnswerB

Explicitly sets the file to serve when a directory is requested.

Why this answer

The DirectoryIndex directive specifies which file Apache should serve when a client requests a directory (e.g., /). Without it, or if it does not list index.html, Apache falls back to generating a directory listing (if Options +Indexes is enabled) or returns a 403 Forbidden. Since the default configuration for Apache 2.4 includes Options +Indexes and DirectoryIndex index.html, the most likely cause is that the DirectoryIndex directive was removed or overridden in a context (e.g., a <Directory> block) and no longer includes index.html, causing Apache to ignore the file and show the directory listing instead.

Exam trap

The trap here is that candidates often confuse Options +Indexes (which enables directory listings) with the DirectoryIndex directive (which specifies which file to serve instead), leading them to incorrectly choose Options -Indexes as the fix when the real issue is a missing or misconfigured DirectoryIndex.

How to eliminate wrong answers

Option A is wrong because IndexOptions FancyIndexing controls the formatting of directory listings (e.g., icons, column sorting) but does not enable or disable directory listings themselves; it would not cause a directory listing to appear when an index file exists. Option C is wrong because Options -Indexes would disable directory listings entirely, resulting in a 403 Forbidden error, not a directory listing; the problem states a directory listing is shown, so Indexes must be enabled. Option D is wrong because Require all granted controls access permissions (authorization) and would either allow or deny access to the directory; it does not affect whether Apache serves an index file or shows a directory listing.

19
Multi-Selecthard

Which TWO statements are true regarding BIND DNS server security? (Choose two.)

Select 2 answers
A.The 'allow-transfer' ACL is used to restrict which clients can perform recursive queries.
B.The 'allow-recursion' ACL can be used to restrict which clients can use the server's recursive lookup feature.
C.The 'blackhole' ACL can be used to prevent cache poisoning attacks.
D.The 'forwarders' option can be used to disable recursion entirely.
E.The 'allow-query' ACL can be used to restrict which clients can send DNS queries to the server.
AnswersB, E

allow-recursion limits recursive queries to specific clients.

Why this answer

Option B is correct because the 'allow-recursion' ACL in BIND explicitly controls which clients are permitted to use the server's recursive query feature. By restricting recursion to trusted clients, the server avoids being used in amplification attacks and reduces exposure to cache poisoning. This ACL is defined in the options block or per-zone and can reference address match lists or named ACLs.

Exam trap

The trap here is confusing the purpose of 'allow-transfer' (zone transfer restriction) with recursion control, and assuming 'forwarders' disables recursion when it actually just redirects queries to another resolver.

20
MCQeasy

A system administrator notices that external clients cannot resolve the company's primary website (www.example.com) but internal clients can. What is the most likely cause?

A.The internal DNS server is not authoritative for the zone.
B.The firewall is blocking port 53 UDP to the internal DNS server.
C.The external DNS server has a missing A record for www.example.com.
D.The internal DNS server is not configured for recursion.
AnswerC

External clients query the external authoritative server; if the A record is missing, resolution fails.

Why this answer

External clients rely on the external authoritative DNS server. If the A record for www.example.com is missing from that server, external resolution fails. Internal clients use a different DNS server (e.g., internal caching resolver) that may have the record cached or is authoritative for the zone.

Option D is correct because the missing A record on the external authoritative server is the most direct cause. Option A is incorrect because an internal server can be authoritative; the issue is external. Option B is incorrect because firewall blocking port 53 would affect both internal and external clients.

Option C is incorrect because recursion is not required for authoritative resolution.

21
Multi-Selecthard

A mail administrator is configuring Postfix to use SASL authentication for incoming connections. Which THREE parameters must be set in main.cf?

Select 3 answers
A.smtpd_tls_auth_only
B.smtpd_sasl_security_options
C.smtpd_sasl_auth_enable
D.smtp_sasl_auth_enable
E.broken_sasl_auth_clients
AnswersB, C, E

Specifies security options like noanonymous to reject anonymous logins.

Why this answer

B is correct because `smtpd_sasl_security_options` controls which SASL security mechanisms are allowed for the Postfix SMTP server (e.g., `noanonymous` to reject anonymous logins). This parameter is essential for enforcing authentication policy when SASL is enabled.

Exam trap

The trap here is confusing `smtpd_sasl_auth_enable` (server-side) with `smtp_sasl_auth_enable` (client-side), leading candidates to select the wrong parameter for incoming authentication.

22
MCQmedium

Refer to the exhibit. The DNS server at 192.0.2.1 is the primary for example.com. What does the 'lame server' message indicate?

A.The server received a query for an invalid domain.
B.The server is not configured to listen on the querying client's network.
C.The server does not consider itself authoritative for example.com.
D.The server is too busy to answer queries.
AnswerC

The server responded but does not have the zone, hence 'lame'.

Why this answer

A 'lame server' message in DNS indicates that a server has received a query for a domain for which it is configured as a nameserver (e.g., via NS records or delegation), but it does not consider itself authoritative for that domain. In this case, the DNS server at 192.0.2.1 is the primary for example.com, so the message means it is not configured with the zone data or does not have the zone loaded, thus it responds as non-authoritative.

Exam trap

The trap here is that candidates often confuse 'lame server' with a server being unreachable or overloaded, but it specifically refers to a delegation-authority mismatch where the server does not serve the zone it is expected to.

How to eliminate wrong answers

Option A is wrong because a 'lame server' message is not about invalid domains; it occurs when the server is authoritative according to delegation but lacks the zone data. Option B is wrong because the message does not relate to listening interfaces or network configuration; it is a DNS protocol-level error about authority. Option D is wrong because the message is not about server load or busyness; it is a specific DNS error indicating the server is not authoritative for the queried zone.

23
Multi-Selecteasy

Which TWO tools can be used to send test email messages from the command line?

Select 2 answers
A.netcat
B.sendmail
C.mail
D.mutt
E.telnet
AnswersB, C

sendmail can be used to send emails by piping input.

Why this answer

B is correct because the `sendmail` command can be used directly from the command line to inject a test email into the local MTA queue, bypassing a full MUA. It accepts a recipient address and message body via standard input, making it a reliable tool for testing mail delivery without a full mail client.

Exam trap

The trap here is that candidates confuse tools that can manually interact with SMTP (like `netcat` or `telnet`) with tools that are designed to send properly formatted email messages, leading them to select options that require manual protocol steps rather than automated mail injection.

24
MCQmedium

You are the administrator of a medium-sized company that runs its own authoritative DNS servers for the domain 'company.com'. The primary DNS server is a BIND9 master, and there are two slaves. Recently, you updated the zone file on the master to add a new subdomain 'lab.company.com' with an A record pointing to 10.0.0.10. After the update, you increased the serial number and ran 'rndc reload'. However, after several hours, some external clients report that they cannot resolve 'lab.company.com'. You check the master server and find that the zone file contains the new record. You also check the slave servers and find that they still have the old zone data. The serial number on the master is 2025011501, while the slaves show 2025011400. The master's syslog shows no errors. The slaves' syslogs show 'zone company.com/IN: Transfer started.' but no completion messages. Firewall rules allow TCP and UDP port 53 between all DNS servers. What should you do to resolve the issue?

A.Check the 'allow-transfer' ACL on the master; it might be restricting transfers to the slaves.
B.Increase the serial number again on the master to a higher value and wait for the slaves to refresh.
C.Restart the BIND service on the slave servers.
D.Run 'rndc notify company.com' on the master to force sending NOTIFY messages to the slaves.
AnswerD

This will cause the master to send NOTIFY messages to all configured slaves, prompting them to start a zone transfer.

Why this answer

Option D is correct because the master's syslog shows no errors and the slaves' logs indicate a transfer started but never completed, which suggests the NOTIFY messages were sent but the slaves may have missed or ignored them due to a transient issue. Running 'rndc notify company.com' forces the master to re-send NOTIFY messages to all configured slaves, prompting them to initiate a zone transfer immediately, which should update the stale zone data on the slaves.

Exam trap

The trap here is that candidates assume the serial number mismatch alone will eventually trigger a transfer via the slave's refresh timer, but the question emphasizes that hours have passed and the transfer started but never completed, indicating a stalled TCP connection that requires a forced NOTIFY to re-initiate the transfer.

How to eliminate wrong answers

Option A is wrong because the slaves' logs show 'Transfer started', which indicates the master allowed the transfer request; if 'allow-transfer' were blocking, the transfer would not have started at all. Option B is wrong because increasing the serial number again does not address the root cause—the slaves already have a lower serial number and should have initiated a transfer upon receiving a NOTIFY, but the transfer is stalling; a higher serial number will not fix the stalled transfer. Option C is wrong because restarting the BIND service on the slaves is unnecessary and disruptive; the slaves are running and attempting transfers, as shown by the 'Transfer started' logs, so a restart would only temporarily interrupt service without resolving the incomplete transfer.

25
Multi-Selectmedium

Which TWO are best practices for securing an Apache web server?

Select 2 answers
A.Allow directory indexing for ease of navigation.
B.Disable directory listing using Options -Indexes.
C.Use .htaccess files for all access control.
D.Set ServerTokens to Prod to minimize version exposure.
E.Enable mod_info to monitor server status.
AnswersB, D

Prevents directory browsing, reducing information leakage.

Why this answer

Disabling directory listing (Option A) prevents attackers from browsing directory contents. Setting ServerTokens to Prod (Option C) minimizes version exposure in HTTP headers. Option B (mod_info) is not a security practice; it exposes sensitive information.

Option D (directory indexing) is insecure. Option E (using .htaccess for all access control) can degrade performance and is less secure than main configuration directives.

26
MCQeasy

A company has two BIND DNS servers, a primary and a secondary. The secondary fails to receive zone updates. Which command can be used to check if the primary allows zone transfers to the secondary?

A.dig axfr example.com @primary
B.host -l example.com primary
C.dig -x 192.0.2.1 @primary
D.nslookup -type=any example.com primary
AnswerA

dig axfr requests the full zone from the primary, allowing verification of transfer permissions.

Why this answer

The `dig axfr example.com @primary` command performs an AXFR (full zone transfer) request against the primary DNS server. If the primary allows zone transfers to the secondary, the command will return the entire zone file; if it is denied, it will return a 'Transfer failed' or 'refused' message. This directly tests the allow-transfer ACL configuration on the primary, which is the most common cause of secondary servers failing to receive zone updates.

Exam trap

The trap here is that candidates confuse a simple DNS query (like `dig -x` or `nslookup -type=any`) with a zone transfer request, not realizing that only AXFR (or IXFR) can verify whether the primary server is configured to allow the secondary to pull the full zone data.

How to eliminate wrong answers

Option B is wrong because `host -l example.com primary` attempts a zone transfer using the `-l` (list) option, but this command is not universally supported across all BIND versions and may fail or behave inconsistently; `dig axfr` is the standard, reliable tool. Option C is wrong because `dig -x 192.0.2.1 @primary` performs a reverse DNS lookup (PTR record query), not a zone transfer, so it cannot verify whether zone transfers are allowed. Option D is wrong because `nslookup -type=any example.com primary` queries for any record type but does not perform a full zone transfer (AXFR); it only returns individual records, not the entire zone, and thus cannot confirm transfer permissions.

27
MCQhard

A systems administrator is configuring a Postfix mail server to use Dovecot for SASL authentication. The authentication method is set to PLAIN in Dovecot, and Postfix has smtpd_sasl_auth_enable=yes and smtpd_sasl_type=dovecot. Dovecot's auth socket is at /var/run/dovecot/auth-client. The mail logs show repeated "SASL authentication failed" errors for known good credentials. The administrator checks that the socket exists and that Dovecot is running. What is the most likely cause?

A.The smtpd_recipient_restrictions does not include permit_sasl_authenticated.
B.The Dovecot service is not listening on TCP port 143 for IMAP.
C.The mynetworks parameter in Postfix is set incorrectly.
D.The postfix user does not have read permission on the Dovecot auth socket.
AnswerD

The socket file permissions may restrict access to the postfix user, causing authentication failures.

Why this answer

The most likely cause is that the Postfix user (typically 'postfix' or the mail queue owner) lacks read permission on the Dovecot auth socket at /var/run/dovecot/auth-client. Dovecot's SASL authentication via a Unix socket requires the connecting process (Postfix) to have read/write access to that socket file. Even though the socket exists and Dovecot is running, if the permissions are too restrictive (e.g., owned by 'dovecot' with mode 0600), Postfix cannot communicate with Dovecot's auth service, resulting in repeated 'SASL authentication failed' errors despite valid credentials.

Exam trap

The trap here is that candidates assume a running service and existing socket guarantee functionality, overlooking Unix socket permissions and the need for the Postfix process user to have read/write access to the auth socket.

How to eliminate wrong answers

Option A is wrong because permit_sasl_authenticated in smtpd_recipient_restrictions controls whether authenticated clients are allowed to relay mail, not whether authentication itself succeeds; authentication failures occur before this restriction is evaluated. Option B is wrong because Dovecot does not need to listen on TCP port 143 for IMAP to provide SASL authentication to Postfix; Postfix communicates with Dovecot via the local auth socket, not over IMAP. Option C is wrong because mynetworks defines trusted networks for relay control and does not affect SASL authentication; misconfiguration of mynetworks would cause relay access errors, not authentication failures.

28
Multi-Selecthard

A Postfix administrator wants to restrict which clients can relay mail through the server. Which three smtpd restriction lists are typically used for this purpose? (Choose three.)

Select 3 answers
A.smtpd_helo_restrictions
B.smtpd_data_restrictions
C.smtpd_sender_restrictions
D.smtpd_client_restrictions
E.smtpd_recipient_restrictions
AnswersA, D, E

Checks the HELO/EHLO hostname.

Why this answer

A is correct because `smtpd_helo_restrictions` allows the administrator to enforce checks based on the HELO/EHLO hostname presented by the client during the SMTP greeting. By using restrictions like `reject_invalid_helo_hostname` or `reject_non_fqdn_helo_hostname`, the server can block clients that provide suspicious or non-compliant HELO names, which is a common tactic to prevent unauthorized relay attempts.

Exam trap

The trap here is that candidates often confuse `smtpd_sender_restrictions` with relay control, but it only filters based on the sender address, not on whether the client is authorized to relay mail.

29
MCQhard

An organization's Postfix mail server is being used as an open relay. The administrator wants to restrict relaying to only authenticated users from the internal network. Which combination of settings is correct?

A.smtpd_helo_restrictions = permit_sasl_authenticated, reject_unauth_destination
B.smtpd_recipient_restrictions = reject_unauth_destination, permit_mynetworks, permit_sasl_authenticated
C.smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination
D.smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
AnswerD

Allows internal networks and authenticated users before rejecting unauthorized destinations.

Why this answer

Option D is correct because it enforces relaying restrictions in the correct order: first permit mail from trusted internal networks (permit_mynetworks), then permit authenticated users (permit_sasl_authenticated), and finally reject all other unauthorized destinations (reject_unauth_destination). This ensures that only authenticated users or hosts in mynetworks can relay, while blocking open relay attempts from external unauthenticated sources.

Exam trap

The trap here is that candidates often place reject_unauth_destination first to block open relays, forgetting that it must come after permit_mynetworks and permit_sasl_authenticated to avoid blocking legitimate internal or authenticated relays.

How to eliminate wrong answers

Option A is wrong because smtpd_helo_restrictions controls restrictions based on the HELO/EHLO command, not recipient relaying; it does not include permit_mynetworks, so internal hosts would be blocked unless authenticated. Option B is wrong because it places reject_unauth_destination before permit_mynetworks and permit_sasl_authenticated, causing legitimate internal or authenticated relays to be rejected before they are allowed. Option C is wrong because smtpd_client_restrictions only checks the client IP/hostname and does not evaluate SASL authentication or recipient destination, so authenticated users would still be blocked if not in mynetworks.

30
MCQmedium

A company runs a DNS server using BIND9 on a Linux server. The server is configured with two network interfaces: one internal (192.168.1.10) and one external (203.0.113.10). The server is configured to be authoritative for example.com. Internal clients can resolve example.com, but external clients receive "SERVFAIL" responses. The host command from an external client returns "Host not found". The administrator checks the named configuration and finds the following in /etc/bind/named.conf.options: options { directory "/var/cache/bind"; listen-on { 127.0.0.1; 192.168.1.10; 203.0.113.10; }; allow-query { 192.168.1.0/24; }; recursion no; dnssec-validation auto; }; The zone configuration for example.com has proper allow-transfer and allow-update settings. What change should be made to resolve external queries?

A.Add 'recursion yes;' to the options block.
B.Add 'listen-on port 53 { 203.0.113.10; };' to the options block.
C.Change 'allow-query' to '{ any; };'
D.Change 'listen-on' to '{ any; };'
AnswerC

Allows queries from any IP, fixing the external resolution.

Why this answer

The 'allow-query' directive restricts which clients can send queries to the server. With 'allow-query { 192.168.1.0/24; };', only internal clients on that subnet are permitted to query, causing external clients to receive SERVFAIL. Changing it to '{ any; };' allows all clients to query the server, resolving the issue while still keeping recursion disabled for security.

Exam trap

The trap here is that candidates often confuse 'allow-query' with 'listen-on' or 'recursion', assuming the issue is about network binding or recursive resolution rather than the explicit query access control list.

How to eliminate wrong answers

Option A is wrong because enabling recursion ('recursion yes;') would allow the server to perform recursive queries on behalf of external clients, which is unnecessary for authoritative responses and introduces security risks like amplification attacks; the problem is not about recursion but about query permissions. Option B is wrong because 'listen-on' already includes the external IP (203.0.113.10), so adding a separate listen-on statement for port 53 is redundant and does not address the access control issue. Option D is wrong because changing 'listen-on' to '{ any; };' would make the server listen on all interfaces, which is already effectively achieved by listing the specific IPs; the real issue is the restrictive 'allow-query', not the listening interfaces.

31
MCQhard

A BIND9 nameserver is configured with 'allow-transfer { none; };' but a secondary nameserver needs to receive zone transfers. What change must be made on the master?

A.Add a 'masters' statement in the slave's configuration.
B.Set 'allow-transfer' to the secondary's IP.
C.Set 'notify' to yes.
D.Set 'also-notify' to the secondary IP.
AnswerB

allow-transfer specifies which servers are allowed to request zone transfers.

Why this answer

The 'allow-transfer' directive on the master nameserver controls which hosts are permitted to request zone transfers (AXFR/IXFR). Setting it to 'none;' blocks all transfers, so to allow a secondary to receive the zone, you must explicitly list the secondary's IP address in the 'allow-transfer' statement on the master. This is the direct and necessary change to enable zone transfers to that specific slave.

Exam trap

The trap here is that candidates confuse the slave-side 'masters' directive or the notification mechanisms ('notify', 'also-notify') with the actual access control needed on the master to permit the zone transfer itself.

How to eliminate wrong answers

Option A is wrong because 'masters' is a slave-side directive that tells the secondary where to request the zone from; it does not change the master's access control. Option C is wrong because 'notify yes;' is a master-side directive that sends NOTIFY messages to slaves when the zone changes, but it does not override the 'allow-transfer' restriction; the transfer itself will still be denied. Option D is wrong because 'also-notify' specifies additional IPs to send NOTIFY messages to, but like 'notify', it does not grant transfer permission; the secondary must still be allowed by 'allow-transfer'.

32
Multi-Selectmedium

An Apache administrator is troubleshooting a slow website. Which THREE modules could be causing performance issues if misconfigured?

Select 3 answers
A.mod_proxy
B.mod_ssl
C.mod_status
D.mod_include
E.mod_rewrite
AnswersA, B, E

Proxying requests adds network latency and resource usage, especially with backend timeouts.

Why this answer

mod_proxy can cause performance issues if misconfigured because it may create excessive backend connections, fail to reuse connections via KeepAlive, or introduce latency through improper load balancing or reverse proxy caching settings. A common misconfiguration is setting ProxyTimeout too low, causing premature connection drops and retries.

Exam trap

The trap here is that candidates may incorrectly assume mod_status or mod_include are performance-critical modules, when in fact the exam focuses on modules that directly impact request processing throughput and resource consumption under load.

33
MCQeasy

An Apache web server is experiencing high memory usage under heavy load. The administrator wants to reduce the number of idle child processes. Which configuration directive should be adjusted?

A.ServerLimit
B.MaxRequestWorkers
C.KeepAliveTimeout
D.MinSpareThreads
AnswerD

Reducing this value decreases the number of idle threads kept ready, lowering memory usage.

Why this answer

Option D is correct because MinSpareThreads controls the minimum number of idle threads that should be available to handle incoming requests. By reducing this value, the administrator ensures fewer idle child processes are kept running, which lowers memory usage under heavy load. This directive is specific to Apache's worker MPM (Multi-Processing Module) and directly influences the number of spare processes.

Exam trap

The trap here is that candidates often confuse MinSpareThreads with MinSpareServers (prefork MPM) or think that reducing MaxRequestWorkers is the primary way to control memory, when in fact MinSpareThreads directly targets idle process reduction in the worker MPM.

How to eliminate wrong answers

Option A is wrong because ServerLimit sets the maximum number of child processes that can be created, not the number of idle processes; adjusting it upward would allow more processes, worsening memory usage. Option B is wrong because MaxRequestWorkers (formerly MaxClients) limits the total number of concurrent connections (or threads) that can be served, not the number of idle child processes; reducing it would cap overall load but not specifically target idle processes. Option C is wrong because KeepAliveTimeout controls how long an idle keep-alive connection is kept open before closing, which affects connection reuse but does not directly reduce the number of idle child processes; it can actually increase idle processes if set too high.

34
MCQmedium

Refer to the exhibit. A DNS query for 'ftp.example.com' returns NXDOMAIN. What configuration change would best resolve this?

A.Add a CNAME record for ftp pointing to www.example.com.
B.Increase the serial number in the SOA record.
C.Ensure recursion is enabled on the server.
D.Add an A record for ftp pointing to an IP address.
AnswerD

Adding an A record directly answers the query for ftp.example.com.

Why this answer

An NXDOMAIN response means the queried domain name does not exist in the zone. To resolve 'ftp.example.com', a DNS record must be created that maps the name to an IP address. Option D adds an A record, which directly provides the IPv4 address for the host, making the query succeed.

Exam trap

The trap here is that candidates may confuse NXDOMAIN with a server configuration issue (like recursion) or think that a CNAME can substitute for a missing A record, but NXDOMAIN specifically means the name is absent from the zone, requiring a direct resource record addition.

How to eliminate wrong answers

Option A is wrong because a CNAME record creates an alias, but the target 'www.example.com' must itself resolve to an IP address; if 'ftp.example.com' does not exist at all, a CNAME does not create the required A record and may still result in NXDOMAIN if the target is also missing. Option B is wrong because increasing the serial number in the SOA record only triggers zone transfers and does not add any missing resource records; it has no effect on the existence of 'ftp.example.com'. Option C is wrong because recursion is a server setting that allows the DNS server to query other servers on behalf of clients; it does not add missing records to the zone, and NXDOMAIN is returned when the authoritative server has no record for the name, regardless of recursion.

35
MCQhard

A company is migrating from Apache HTTPD 2.2 to 2.4 and needs to configure SSL for a virtual host. The administrator wants to use modern security practices. Which of the following configurations is the most secure and recommended for Apache 2.4?

A.SSLEngine on; SSLProtocol -SSLv2 -SSLv3; SSLCipherSuite MEDIUM:!aNULL
B.SSLEngine on; SSLProtocol TLSv1.2 TLSv1.3; SSLCipherSuite ECDHE+AESGCM
C.SSLEngine on; SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1; SSLCipherSuite HIGH:!aNULL:!MD5
D.SSLEngine on; SSLProtocol all; SSLCipherSuite DEFAULT
AnswerC

Disables all insecure protocols and uses a strong, widely compatible cipher suite.

Why this answer

Option C is correct because it explicitly enables only TLS 1.2 and TLS 1.3 (by disabling SSLv3, TLSv1.0, and TLSv1.1) and uses the HIGH cipher suite with exclusion of aNULL (anonymous NULL ciphers) and MD5 (weak hash). This aligns with modern security standards (e.g., PCI DSS, NIST) and Apache 2.4's recommended hardening practices, avoiding deprecated protocols and weak ciphers.

Exam trap

The trap here is that candidates often choose Option B because they think specifying only TLSv1.2 and TLSv1.3 is sufficient, but they overlook that 'ECDHE+AESGCM' is not a complete cipher string and fails to exclude weak ciphers like those with MD5 or anonymous key exchange, which Apache will still negotiate if not explicitly denied.

How to eliminate wrong answers

Option A is wrong because it uses 'MEDIUM:!aNULL' which includes ciphers of only medium strength (e.g., 128-bit) and does not explicitly disable TLSv1.0 or TLSv1.1, leaving older, less secure protocols enabled; also, it lacks explicit TLSv1.2/TLSv1.3 support. Option B is wrong because 'ECDHE+AESGCM' is not a valid SSLCipherSuite syntax in Apache — it should use OpenSSL cipher string format like 'ECDHE+AESGCM:!aNULL:!MD5' and it omits disabling older protocols beyond TLSv1.2/TLSv1.3 (though it does specify them, it fails to exclude weak ciphers like those with MD5 or anonymous DH). Option D is wrong because 'SSLProtocol all' enables all protocols including SSLv2, SSLv3, TLSv1.0, and TLSv1.1, which are insecure; 'SSLCipherSuite DEFAULT' uses Apache's default cipher list, which may include weak or deprecated ciphers (e.g., RC4, 3DES) and does not enforce modern security.

36
MCQmedium

A company uses BIND9 as the authoritative name server for its public zone example.com. External users report that they cannot resolve the MX record for the domain, but internal users can. What is the most likely cause?

A.The zone file lacks an MX record.
B.The allow-query ACL restricts queries to the internal network.
C.The server is behind a firewall that blocks UDP port 53.
D.The recursion is set to no.
AnswerB

If allow-query limits to internal IPs, external queries are rejected, causing resolution failures for external users.

Why this answer

Option B is correct because the allow-query ACL in BIND9 restricts which source IP addresses are permitted to send queries to the server. If it is set to allow only the internal network (e.g., 192.168.0.0/16), external users' queries are rejected, causing resolution failures for MX records and all other records. Internal users succeed because their IPs match the ACL, while external users receive a REFUSED response or no answer.

Exam trap

The trap here is that candidates often confuse allow-query (which controls who can send queries) with allow-transfer (zone transfers) or recursion settings, or they assume a missing record is the cause when the symptom is selective failure based on client location.

How to eliminate wrong answers

Option A is wrong because if the zone file lacked an MX record, internal users would also fail to resolve it, but the problem states internal users can resolve it. Option C is wrong because a firewall blocking UDP port 53 would prevent all DNS traffic (both internal and external) from reaching the server, yet internal users succeed. Option D is wrong because setting recursion to no only prevents the server from performing recursive queries on behalf of clients; it does not affect the server's ability to answer authoritative queries for its own zones, such as the MX record for example.com.

37
MCQmedium

A company wants to host multiple websites on a single Apache server with different domain names. Which approach is most appropriate?

A.Name-based virtual hosting
B.IP-based virtual hosting
C.Port-based virtual hosting
D.Using mod_rewrite for each domain
AnswerA

Allows multiple domain names on a single IP/port using the Host header.

Why this answer

Name-based virtual hosting allows a single Apache server to serve multiple websites using the same IP address and port by relying on the HTTP Host header sent by the client. This is the most efficient and commonly used method for hosting multiple domains on one server, as it conserves IP addresses and requires minimal configuration via the `<VirtualHost *:80>` directive.

Exam trap

The trap here is that candidates often confuse name-based virtual hosting with IP-based hosting, assuming each domain needs its own IP address, or mistakenly think mod_rewrite can handle domain routing without virtual host containers.

How to eliminate wrong answers

Option B is wrong because IP-based virtual hosting requires a separate IP address for each domain, which is wasteful and often impractical given IPv4 address scarcity. Option C is wrong because port-based virtual hosting uses different TCP ports (e.g., 8080, 8081) for each site, which is not user-friendly as users would need to specify non-standard ports in URLs. Option D is wrong because mod_rewrite is a URL rewriting engine, not a virtual hosting mechanism; it cannot serve different content based solely on the domain name without additional virtual host containers.

38
MCQhard

Refer to the exhibit. What is the most likely cause of this Apache error?

A.The filesystem containing the logs is full.
B.The server is out of memory.
C.The semaphore limit for the Apache user is exceeded.
D.The RewriteMap file specified is missing.
AnswerC

Apache uses semaphores for lock files; exhausting semaphore limits causes this error.

Why this answer

The Apache error 'semaphore limit exceeded' occurs when the number of semaphores allocated to the Apache user exceeds the system-wide or per-user semaphore limit. Apache uses semaphores for inter-process communication (IPC) in its prefork or worker MPMs to coordinate child processes. The correct answer is C because this error directly indicates that the kernel's semaphore limits (e.g., `SEMMSL`, `SEMMNS`, or `SEMOPM` in `/proc/sys/kernel/sem`) have been exhausted for the Apache user, often due to too many child processes or a misconfigured `MaxClients` directive.

Exam trap

The trap here is that candidates often confuse semaphore errors with disk space or memory issues, but LPIC-2 specifically tests knowledge of IPC resource limits and their impact on Apache MPM behavior.

How to eliminate wrong answers

Option A is wrong because a full filesystem containing logs would typically produce 'No space left on device' errors in Apache's error_log, not a semaphore-related error. Option B is wrong because out-of-memory conditions usually manifest as 'Cannot allocate memory' or 'fork: Cannot allocate memory' errors, not semaphore limit errors. Option D is wrong because a missing RewriteMap file would generate a configuration parsing error or 'RewriteMap: cannot open file' message during Apache startup or reload, not a runtime semaphore error.

39
Multi-Selecteasy

Which two commands can be used to trace the delegation path of a DNS domain? (Choose two.)

Select 2 answers
A.dig +trace
B.nslookup -type=any
C.host -C
D.dig -x
E.whois
AnswersA, C

dig +trace follows the delegation chain from root servers.

Why this answer

The `dig +trace` command performs a full iterative DNS resolution from the root nameservers down to the authoritative nameservers for the queried domain, showing each delegation step. The `host -C` command queries the SOA record and displays the authoritative nameservers for the domain, which can be used to trace the delegation chain. Both commands reveal the hierarchical delegation path of a DNS domain.

Exam trap

The trap here is that candidates often confuse `nslookup -type=any` with a delegation tracing tool, but it only returns all records from the resolver's cache without following the delegation chain, and `dig -x` is mistakenly thought to trace something because of the 'trace' keyword in the option.

Ready to test yourself?

Try a timed practice session using only DNS, Web and Mail Services questions.