Google Cloud Professional Cloud Security Engineer Practice Exam

Which solution should a customer use to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack?

• A. DNS Security Extensions
• B. Firewall Rules
• C. Cloud Security Scanner
• D. Identity-Aware Proxy

The correct answer is: DNS Security Extensions

Choosing DNS Security Extensions (DNSSEC) is the optimal solution for preventing attackers from hijacking a domain or IP and redirecting users to a malicious site via a man-in-the-middle attack. DNSSEC enhances the security of the Domain Name System (DNS) by adding a layer of authentication to ensure that the responses to DNS queries are verified and originate from legitimate sources. By signing DNS records with cryptographic keys, DNSSEC helps to prevent unauthorized modifications to DNS data, ensuring that users are directed to the correct IP addresses associated with a domain. This protection is crucial in mitigating risks associated with man-in-the-middle attacks, where an attacker could intercept DNS queries and provide false responses, leading users to malicious sites. In contrast, while firewall rules provide essential network defense by controlling incoming and outgoing traffic based on predetermined security rules, they do not specifically address DNS security or prevent DNS spoofing. Similarly, a cloud security scanner is designed to identify vulnerabilities in applications and services, focusing on the security posture of cloud resources rather than protecting against DNS-related threats. An Identity-Aware Proxy serves to manage and secure user access to applications based on user identity, but it does not address the core issue of domain hijacking and DNS integrity. Thus, DNS Security