Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon ANS-C01 Exam - Topic 2 Question 59 Discussion

A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all domains except domains that are on an approved list. The company is concerned that if DNS Firewall is unresponsive, resources in the VPC might be affected if the network cannot resolve any DNS queries. To maintain application service level agreements, the company needs DNS queries to continue to resolve even if Route 53 Resolver does not receive a response from DNS Firewall.Which change should a network engineer implement to meet these requirements?
B) Update the DNS Firewall VPC configuration to enable fail open for the VPC.
A) Update the DNS Firewall VPC configuration to disable fail open for the VPC.
C) Create a new DHCP options set with parameter dns_firewall_fail_open=false. Associate the new DHCP options set with the VPC.
D) Create a new DHCP options set with parameter dns_firewall_fail_open=true. Associate the new DHCP options set with the VPC.

Amazon ANS-C01 Exam - Topic 2 Question 59 Discussion

Actual exam question for Amazon's ANS-C01 exam
Question #: 59
Topic #: 2
[All ANS-C01 Questions]

A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all domains except domains that are on an approved list. The company is concerned that if DNS Firewall is unresponsive, resources in the VPC might be affected if the network cannot resolve any DNS queries. To maintain application service level agreements, the company needs DNS queries to continue to resolve even if Route 53 Resolver does not receive a response from DNS Firewall.

Which change should a network engineer implement to meet these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: B

by Leota at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium ANS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Lucina
1 month ago
But what about option D? It seems safer.
upvoted 0 times
...
Elena
1 month ago
I agree, fail open is crucial for uptime.
upvoted 0 times
...
Vannessa
1 month ago
It allows DNS queries to resolve even if the firewall fails.
upvoted 0 times
...
Lavera
2 months ago
Why B?
upvoted 0 times
...
Vannessa
2 months ago
I think option B is the best.
upvoted 0 times
...
Danilo
2 months ago
I heard fail open can lead to security issues, not sure about that.
upvoted 0 times
...
Alexia
2 months ago
Disabling fail open sounds risky to me.
upvoted 0 times
...
Merrilee
2 months ago
Wait, does fail open really mean it will just allow all DNS?
upvoted 0 times
...
Jess
3 months ago
Totally agree, fail open keeps things running!
upvoted 0 times
...
Shaniqua
3 months ago
I think enabling fail open is the way to go.
upvoted 0 times
...
Dierdre
3 months ago
I'm going with B) to keep the network up and running even if the firewall is down.
upvoted 0 times
...
Francoise
3 months ago
B) Definitely the best option to maintain application SLAs.
upvoted 0 times
...
Lyda
4 months ago
Haha, "dns_firewall_fail_open" sounds like a setting straight out of a sci-fi movie!
upvoted 0 times
...
Avery
4 months ago
D) Creating a DHCP options set with dns_firewall_fail_open=true is the way to go.
upvoted 0 times
...
Lezlie
4 months ago
B) Seems like the right choice to enable fail open and ensure DNS queries can still be resolved.
upvoted 0 times
...
Elmira
4 months ago
I’m leaning towards option B, but I need to double-check if that really aligns with maintaining service level agreements.
upvoted 0 times
...
Jacquelyne
4 months ago
I think enabling fail open would allow DNS queries to resolve even if the firewall is down, but I’m not 100% confident.
upvoted 0 times
...
Helaine
5 months ago
This question feels familiar; I think we practiced something similar about DNS failover strategies in class.
upvoted 0 times
...
Rusty
5 months ago
I remember studying the fail open concept, but I'm not entirely sure if enabling it is the right move here.
upvoted 0 times
...
Lai
5 months ago
Hmm, I'm a little unsure about this one. The question mentions the company wants to block all domains except the approved list, but it also says they need the DNS queries to continue resolving if the Firewall doesn't respond. I'm not sure if disabling or enabling fail open is the better approach to balance those needs.
upvoted 0 times
...
Shenika
5 months ago
I'm pretty confident that option B is the right answer here. Enabling fail open for the DNS Firewall VPC configuration will ensure that DNS queries can still resolve even if the Firewall is unresponsive, which meets the requirement to maintain application service level agreements.
upvoted 0 times
...
Millie
5 months ago
Okay, let me think this through. If we enable fail open, that means the DNS queries will still resolve even if the Firewall doesn't respond. But that goes against the requirement to block all unapproved domains. I think the better option is to disable fail open, so the Firewall has to respond before the queries can resolve.
upvoted 0 times
...
Pura
5 months ago
Hmm, I'm a bit confused. The question says the company is concerned about the impact if the DNS Firewall is unresponsive, but it also says they want to block all domains except the approved list. I'm not sure which option would best balance those requirements.
upvoted 0 times
...
Derick
6 months ago
I think the key here is to maintain application service level agreements, so the DNS queries need to continue resolving even if the Route 53 Resolver doesn't get a response from the DNS Firewall. That sounds like we want the fail open option.
upvoted 0 times
...

Save Cancel