Quiz: DNS, Email, and Web Security

DataField.Dev

Quiz: DNS, Email, and Web Security

A 26-question self-check covering DNS abuse and hardening, email authentication, and web security headers. Questions tagged [Sec+] map to CompTIA Security+ and [CISSP] to the (ISC)² CISSP, so certification candidates can self-assess. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] Which property does DNSSEC provide? A. confidentiality of DNS queries B. integrity and origin authentication of DNS answers C. encryption of the DNS channel D. protection against typosquatting

2. An attacker encodes stolen data into the subdomain labels of DNS queries to smuggle it out through a firewall that permits port 53. This is: A. cache poisoning B. DNS tunneling/exfiltration C. a domain generation algorithm D. an evil twin

3. [Sec+] Which email standard cryptographically signs a message so that tampering and origin can be verified, and survives forwarding? A. SPF B. DKIM C. DMARC D. HSTS

4. SPF authenticates the: A. visible From: header B. message body C. envelope sender (MAIL FROM / Return-Path) D. DKIM selector

5. [CISSP] A DMARC policy of p=none: A. rejects all failing mail B. quarantines failing mail C. takes no action but collects reports D. is invalid

6. The DMARC concept that requires the SPF- or DKIM-authenticated domain to match the visible From: domain is called: A. alignment B. selector C. delegation D. enforcement

7. [Sec+] Which HTTP response header instructs a browser to use HTTPS only and refuse plain HTTP for a set duration? A. Content-Security-Policy B. X-Frame-Options C. Strict-Transport-Security D. Referrer-Policy

8. A burst of NXDOMAIN responses from a single host is the characteristic log signature of: A. DNS tunneling B. a domain generation algorithm (DGA) C. cache poisoning D. SSL stripping

9. [Sec+] Business email compromise (BEC) is dangerous primarily because it: A. always carries ransomware B. exploits a TLS flaw C. often contains no malware or link, weaponizing trust and urgency D. requires DNSSEC to succeed

10. Which cookie attribute prevents JavaScript from reading a session cookie, blunting theft via XSS? A. Secure B. HttpOnly C. SameSite D. Path

11. [CISSP] A DNS sinkhole is best described as a control that is: A. only preventive B. only detective C. both preventive and detective D. neither

12. The SPF mechanism that means "reject everything not listed" is: A. ~all B. ?all C. +all D. -all

13. [Sec+] Which technology provides confidentiality for DNS lookups (hiding which sites you query)? A. DNSSEC B. DNS over HTTPS (DoH) / DNS over TLS (DoT) C. SPF D. a DNS sinkhole

14. A secure email gateway rewrites URLs in inbound mail so they are re-checked at click time. This defends against: A. SPF failures B. attackers who weaponize a link after it passes the initial delivery scan C. DNSSEC misconfiguration D. clickjacking

15. [CISSP] Targeted phishing tailored to a specific individual using researched details is called: A. spam B. spear-phishing C. smishing D. a watering-hole attack

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

16. "Publishing a DMARC record at p=none protects your domain from being spoofed."

17. [Sec+] "DNSSEC encrypts your DNS traffic so your ISP cannot see which sites you visit."

18. "SPF alone is enough to stop an attacker who displays From: ceo@meridianbank.example."

19. "An organization that does not log DNS queries is blind to a major class of attack telemetry."

20. "HSTS with preload protects even the user's very first visit to a site."

Section 3 — Fill in the blank (1 pt each)

21. The three email-authentication standards, in deployment order, are _, _, and __.

22. [Sec+] DKIM survives mail forwarding because the cryptographic proof travels _, whereas SPF fails after forwarding because it checks the _.

23. A DMARC aggregate report is simultaneously an intrusion-detection feed and a __ audit (it reveals your own broken legitimate mail streams).

24. The HTTP header that restricts which sources of scripts a browser will execute, mitigating cross-site scripting, is the __.

Section 4 — Short answer (2 pts each)

25. [CISSP] Meridian's CISO asks why the email team must spend three weeks at DMARC p=none before moving to p=reject. Explain in two or three sentences what that monitoring phase accomplishes and what specific failure skipping it would cause.

26. Recall the Chapter 1 phishing near-miss, in which the attacker impersonated a third-party title company (not Meridian itself). In two or three sentences, explain why Meridian's own SPF/DKIM/DMARC at p=reject would not have blocked that specific message, and name two other controls from this chapter that would have helped.

Answer Key

Click to reveal answers and explanations

1. **B** — DNSSEC provides integrity/origin authentication, not confidentiality. 2. **B** — data in subdomain labels over port 53 is tunneling/exfiltration. 3. **B** — DKIM signs and survives forwarding. 4. **C** — SPF checks the envelope sender, not the visible `From:`. 5. **C** — `p=none` is monitor-only. 6. **A** — alignment ties authentication to the visible `From:`. 7. **C** — `Strict-Transport-Security` is HSTS. 8. **B** — DGAs cause NXDOMAIN bursts as malware cycles unregistered candidates. 9. **C** — BEC weaponizes trust/urgency, often with no malware. 10. **B** — `HttpOnly` hides the cookie from JavaScript. 11. **C** — a sinkhole blocks the callback (preventive) and identifies the infected host (detective). 12. **D** — `-all` is hard fail. 13. **B** — DoH/DoT encrypt the query channel. 14. **B** — click-time URL re-checking catches links weaponized after delivery. 15. **B** — spear-phishing is targeted. 16. **F** — `p=none` only collects reports; it provides no protection. The control takes effect at quarantine/reject. 17. **F** — DNSSEC provides integrity, not confidentiality/encryption; DoH/DoT does that. 18. **F** — without DMARC alignment, an attacker can pass SPF for a domain they control while displaying the bank's `From:`. 19. **T** — DNS touches nearly every attack phase; without query logs the defender loses tunneling, DGA, and C2-callback signals. 20. **T** — `preload` bakes the HTTPS-only rule into the browser ahead of any visit, closing the first-request gap that `max-age` leaves. 21. SPF; DKIM; DMARC. 22. with the message (in the signed headers); envelope sender / sending IP. 23. mail-hygiene (mail-authentication) audit. 24. Content-Security-Policy (CSP). 25. The `p=none` phase collects aggregate reports that reveal every legitimate sender (marketing, helpdesk, branch systems) currently failing SPF/DKIM, so you can fix them; skipping it and going straight to `p=reject` causes receivers to reject that legitimate mail, taking down your own newsletters and notifications. 26. Meridian cannot publish DNS authentication records for a domain it does not own, so a third-party impersonation is unaffected by Meridian's own DMARC; controls that would help include inbound DMARC verification (checking the title company's real domain, if it publishes DMARC), the secure email gateway weighing the freshly registered look-alike domain's poor reputation and rewriting the URL, and the phishing-resistant authentication (Chapter 16) that actually stopped the credential theft. **Topics to review by question:** missed 1, 6, 17 → §9.2/§9.4 (DNSSEC vs DMARC, alignment); 2, 8, 13, 19, 27-style → §9.1/§9.6; 3, 4, 5, 12, 16, 18, 21, 22, 25 → §9.4; 7, 10, 20, 24 → §9.5; 9, 14, 15, 26 → §9.3 and the Chapter 1 callback.