New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon ANS-C01 Exam - Topic 2 Question 59 Discussion

Actual exam question for Amazon's ANS-C01 exam
Question #: 59
Topic #: 2
[All ANS-C01 Questions]

A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all domains except domains that are on an approved list. The company is concerned that if DNS Firewall is unresponsive, resources in the VPC might be affected if the network cannot resolve any DNS queries. To maintain application service level agreements, the company needs DNS queries to continue to resolve even if Route 53 Resolver does not receive a response from DNS Firewall.

Which change should a network engineer implement to meet these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: B

by Leota at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium ANS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Lyda
3 days ago
Haha, "dns_firewall_fail_open" sounds like a setting straight out of a sci-fi movie!
upvoted 0 times
...
Avery
8 days ago
D) Creating a DHCP options set with dns_firewall_fail_open=true is the way to go.
upvoted 0 times
...
Lezlie
13 days ago
B) Seems like the right choice to enable fail open and ensure DNS queries can still be resolved.
upvoted 0 times
...
Elmira
19 days ago
I’m leaning towards option B, but I need to double-check if that really aligns with maintaining service level agreements.
upvoted 0 times
...
Jacquelyne
24 days ago
I think enabling fail open would allow DNS queries to resolve even if the firewall is down, but I’m not 100% confident.
upvoted 0 times
...
Helaine
29 days ago
This question feels familiar; I think we practiced something similar about DNS failover strategies in class.
upvoted 0 times
...
Rusty
1 month ago
I remember studying the fail open concept, but I'm not entirely sure if enabling it is the right move here.
upvoted 0 times
...
Lai
1 month ago
Hmm, I'm a little unsure about this one. The question mentions the company wants to block all domains except the approved list, but it also says they need the DNS queries to continue resolving if the Firewall doesn't respond. I'm not sure if disabling or enabling fail open is the better approach to balance those needs.
upvoted 0 times
...
Shenika
1 month ago
I'm pretty confident that option B is the right answer here. Enabling fail open for the DNS Firewall VPC configuration will ensure that DNS queries can still resolve even if the Firewall is unresponsive, which meets the requirement to maintain application service level agreements.
upvoted 0 times
...
Millie
2 months ago
Okay, let me think this through. If we enable fail open, that means the DNS queries will still resolve even if the Firewall doesn't respond. But that goes against the requirement to block all unapproved domains. I think the better option is to disable fail open, so the Firewall has to respond before the queries can resolve.
upvoted 0 times
...
Pura
2 months ago
Hmm, I'm a bit confused. The question says the company is concerned about the impact if the DNS Firewall is unresponsive, but it also says they want to block all domains except the approved list. I'm not sure which option would best balance those requirements.
upvoted 0 times
...
Derick
2 months ago
I think the key here is to maintain application service level agreements, so the DNS queries need to continue resolving even if the Route 53 Resolver doesn't get a response from the DNS Firewall. That sounds like we want the fail open option.
upvoted 0 times
...

Save Cancel