AWS Certified Advanced Networking – Specialty ANS-C00 – Question382

A company wants to enforce a compliance requirement that its Amazon EC2 instances use only on- premises DNS servers for name resolution. Outbound DNS requests to all other name servers must be denied. A network engineer configures the following set of outbound rules for a security group:

The network engineer discovers that the EC2 instances are still able to resolve DNS requests by using Amazon DNS servers inside the VPC.
Why is the solution failing to meet the compliance requirement?

A.
The security group cannot filer outbound traffic to the Amazon DNS servers.
B. The security group must have inbound rules to prevent DNS requests from coming back to EC2 instances.
C. The EC2 instances are using the HTTPS port to send DNS queries to Amazon DNS servers.
D. The security group cannot filter outbound traffic to destinations within the same VPC.

Correct Answer: C

Explanation:

Explanation:
If you’ve set up your EC2 instance as a DNS server, you must ensure that TCP and UDP traffic can reach your DNS server over port 53.
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html