PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free LPIC-2 202-450 Practice Questions

Pass your LPIC-2 Linux Engineer — Exam 202 (202-450) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not publicly disclosed Pass Rate
100+ Questions
100% Free

Loading practice questions...

Same family resources

Explore More Linux Professional Institute Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

LPI BSD Specialist (702-100)

Practice Questions

LPI DevOps Tools Engineer (701-100)

Practice Questions

LPI Linux Essentials (010-160)

Practice Questions

LPI Open Source Essentials (050-100)

Practice Questions

LPI Security Essentials (020-100)

Practice Questions

LPI Web Development Essentials (030-100)

Practice Questions
2026 Statistics

Key Facts: LPIC-2 202-450 Exam

60

Exam Questions

LPI

500/800

Passing Score (scaled)

LPI

90 min

Exam Duration

LPI

$200

Exam Fee (USD)

LPI Marketplace

LPIC-1

Prerequisite

Required for LPIC-2 award

5 years

Validity

Recertification required

LPIC-2 Exam 202-450 has 60 questions in 90 minutes with a 500-of-800 scaled passing score. Active LPIC-1 is required. Topic weights: Domain Name Server (8), HTTP Services (11), File Sharing (8), Network Client Management (11), E-Mail Services (8), and System Security (14 — the largest). Scenario-style items: writing a BIND zone file, configuring Apache vhosts and mod_ssl, exporting /etc/exports for NFS, joining a Samba domain, building an OpenLDAP slapd config, hardening Postfix, writing iptables/nftables rules, and configuring OpenVPN tunnels. Exam fee $200 USD. Combined with 201-450 to earn LPIC-2.

Sample LPIC-2 202-450 Practice Questions

Try these sample questions to test your LPIC-2 202-450 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which file is the main configuration for the BIND name server (named) on most distributions?
A./etc/named.conf
B./etc/bind/named.conf
C.Both A (RHEL) and B (Debian)
D./etc/bind.conf
Explanation: RHEL/Fedora install BIND configs at /etc/named.conf with zone files in /var/named/. Debian/Ubuntu use /etc/bind/named.conf with zones in /etc/bind/ or /var/lib/bind/. Both define options{}, zone{}, controls{}, logging{} blocks. /etc/bind.conf is not standard.
2Which DNS record type maps a hostname to an IPv4 address?
A.A
B.AAAA
C.CNAME
D.PTR
Explanation: A records map a name to an IPv4 address. AAAA maps to IPv6. CNAME aliases a name to another name. PTR provides reverse lookups (IP→name). Other common types: MX (mail exchanger), TXT (arbitrary text, includes SPF/DMARC), NS (name server), SOA (start of authority), SRV (service location).
3Which DNS record type maps an IP address back to a hostname for reverse lookups?
A.PTR
B.A
C.MX
D.SOA
Explanation: PTR (Pointer) records live in reverse zones (e.g., 1.0.168.192.in-addr.arpa for 192.168.0.1). dig -x <ip> queries reverse. SOA defines a zone's authority. MX defines mail servers. A is forward IPv4.
4Which BIND zone type configures a server as the authoritative primary for a domain?
A.type master (or 'primary' in newer BIND)
B.type slave (or 'secondary')
C.type forward
D.type hint
Explanation: type master (BIND 9.x) or 'primary' (BIND 9.16+) — the server holds the editable copy of the zone. type slave/secondary fetches from master via AXFR. type forward forwards queries elsewhere. type hint points at root servers.
5What is the proper SOA serial number convention for BIND zone files?
A.YYYYMMDDNN format (e.g., 2026042701) — increments with each edit, slaves notice the change
B.Random number
C.1, 2, 3, 4 ... incrementing by 1 forever
D.Date alone (YYYYMMDD)
Explanation: YYYYMMDDNN convention: ten digits — year, month, day, plus a 2-digit revision counter for multiple edits in one day. The serial MUST increase, or slaves won't pull updates. Newer BIND auto-increments via 'serial-update-method unixtime'. Forgetting to increment after a zone edit is a classic mistake.
6Which DNS query type does dig use by default?
A.A
B.ANY
C.ALL
D.AXFR
Explanation: dig <name> defaults to A (IPv4). dig <name> AAAA gets IPv6. dig <name> ANY queries all types (modern resolvers may refuse this). dig @ns1.example.com example.com AXFR attempts a zone transfer. dig +short suppresses the verbose header.
7Which BIND option restricts who may transfer a zone (AXFR/IXFR)?
A.allow-transfer
B.allow-query
C.transfer-source
D.tsig-keys
Explanation: allow-transfer { 192.168.1.10; key xfer-key; }; restricts AXFR to listed clients/keys. allow-query controls who may query. transfer-source sets the OUTGOING source for slave-side transfers. TSIG keys (defined separately) authenticate transfers cryptographically.
8Which command checks the syntax of a BIND zone file?
A.named-checkzone <zone-name> <file>
B.named-checkconf
C.Both A (zone) and B (named.conf)
D.bind-test
Explanation: named-checkzone validates a single zone file (catches syntax errors, missing SOA fields, glue issues). named-checkconf validates named.conf. Run both before reloading BIND. rndc reload triggers a soft reload after edits.
9What is the role of DNSSEC's RRSIG, DNSKEY, and DS records?
A.RRSIG holds the signature; DNSKEY is the public key; DS is a delegation hash in the parent zone
B.All three are mail signatures
C.RRSIG and DS are unrelated to DNSSEC
D.DNSKEY is the encrypted key only
Explanation: RRSIG: signature for an RRset. DNSKEY: public keys (KSK and ZSK) used to verify RRSIGs. DS (Delegation Signer): hash of child's KSK published in the parent zone, anchoring the chain of trust. NSEC/NSEC3: prove non-existence of a record. dnssec-keygen and dnssec-signzone create these.
10Which TSIG-related directive is used to authenticate zone transfers between BIND servers?
A.key directive defining algorithm and secret, plus 'server <ip> { keys { name; }; };'
B.Plain IP-based access control only
C.PGP keys
D.X.509 certificates
Explanation: TSIG authenticates DNS messages via a shared HMAC secret. Define a 'key' block with 'algorithm hmac-sha256;' and 'secret "<base64>";', then 'server' blocks reference the key. Generate secrets with 'tsig-keygen -a hmac-sha256 keyname'. Use in allow-transfer { key keyname; };.

About the LPIC-2 202-450 Exam

Exam 202-450 is the second of two exams for the LPIC-2 Linux Engineer certification. Requires active LPIC-1. It validates the ability to install, configure, and maintain network services on Linux: BIND DNS, Apache and Nginx web servers, Samba and NFS file sharing, DHCP, OpenLDAP, Postfix mail, and host security with iptables/nftables, OpenVPN, and SSH.

Questions

60 scored questions

Time Limit

90 minutes

Passing Score

500 / 800 (scaled)

Exam Fee

$200 (Linux Professional Institute (Pearson VUE / OnVUE online proctored))

LPIC-2 202-450 Exam Content Outline

23%

System Security (Topic 212)

Weight 14/60 — largest topic. Configuring a router (IP forwarding, sysctl net.ipv4.ip_forward, NAT/masquerading, /proc/sys/net); managing FTP servers (vsftpd, pure-ftpd basics, awareness only); secure shell (sshd_config, ~/.ssh/config, key-based auth, ssh-agent, port forwarding -L/-R/-D, X11 forwarding); security tasks (nmap, OpenSSL, /etc/hosts.allow/.deny, awareness of fail2ban, snort, rkhunter, OpenVAS); OpenVPN (server.conf, client.conf, ca.crt, easy-rsa); IPsec awareness; Linux firewall — iptables (filter/nat/mangle tables, INPUT/OUTPUT/FORWARD chains) and nftables (tables, chains, rules).

18%

HTTP Services (Topic 208)

Weight 11/60. Apache configuration (httpd.conf, /etc/apache2/, VirtualHost, ServerName, DocumentRoot, Directory blocks, .htaccess, mod_rewrite RewriteRule/RewriteCond, mod_ssl with SSLCertificateFile/SSLCertificateKeyFile/SSLCACertificate, mod_dir, mod_alias, a2enmod/a2ensite); Apache HTTPS (Let's Encrypt awareness, certbot); implementing Squid as a caching proxy (squid.conf, ACLs, http_access, cache_dir); Nginx as a web server and reverse proxy (server blocks, proxy_pass, upstream blocks, listen 443 ssl).

18%

Network Client Management (Topic 210)

Weight 11/60. DHCP configuration (dhcpd.conf, subnet, range, static reservations via host blocks, /var/lib/dhcp/dhcpd.leases, dhclient, /etc/dhcp/dhclient.conf); PAM authentication (/etc/pam.d/, auth/account/password/session, pam_unix, pam_cracklib/pam_pwquality, pam_ldap, pam_tally2/pam_faillock); LDAP client usage (ldapsearch, ldapadd, ldapmodify, ldappasswd, /etc/openldap/ldap.conf, /etc/nsswitch.conf with ldap, sssd); configuring an OpenLDAP server (slapd, slapd.conf or cn=config, LDIF format, ACLs, indexes, replication awareness).

13%

Domain Name Server (Topic 207)

Weight 8/60. Basic DNS server configuration (BIND named.conf, options block, listen-on, allow-query, forwarders, /var/named/ or /etc/bind/zones); creating and maintaining DNS zones (zone files — SOA, NS, A, AAAA, MX, CNAME, PTR, TXT records; $TTL, $ORIGIN, serial increment for slave updates); securing a DNS server (chroot jail awareness, ACLs in named.conf, DNSSEC awareness — dnssec-keygen, dnssec-signzone, RRSIG/DNSKEY/DS records, TSIG keys for zone transfers).

13%

File Sharing (Topic 209)

Weight 8/60. Samba server configuration (smb.conf, [global], [homes], [printers], custom shares, security = user, workgroup, server role, smbpasswd, pdbedit, testparm, smbclient, smbstatus, mount.cifs); NFS server configuration (/etc/exports, options rw/ro/sync/async/no_root_squash/all_squash, exportfs -ar, showmount -e, mount -t nfs, NFSv3 vs NFSv4, /etc/idmapd.conf, rpcbind, statd/lockd for v3); awareness of file-locking, ACLs, and Kerberized NFS (sec=krb5).

13%

E-Mail Services (Topic 211)

Weight 8/60. Using e-mail servers (Postfix as primary — main.cf, master.cf, postconf, postqueue, postsuper, /etc/aliases, newaliases, virtual_alias_domains, awareness of Sendmail/Exim configuration parallels); managing local e-mail delivery (procmail, ~/.procmailrc, sieve awareness); managing remote e-mail delivery (Dovecot for IMAP/POP3 — dovecot.conf, mail_location, auth mechanisms; mailing list manager awareness — Mailman/Sympa).

How to Pass the LPIC-2 202-450 Exam

What You Need to Know

  • Passing score: 500 / 800 (scaled)
  • Exam length: 60 questions
  • Time limit: 90 minutes
  • Exam fee: $200

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

LPIC-2 202-450 Study Tips from Top Performers

1Spin up a BIND server on a VM and write a complete zone file with SOA/NS/A/MX/CNAME/PTR — increment the SOA serial when you change records
2Practice Apache vhost + mod_ssl + mod_rewrite from scratch: VirtualHost, SSLEngine on, RewriteEngine on, RewriteRule ^/old$ /new [R=301,L]
3Build a complete OpenLDAP DIT: dc=example,dc=com, ou=People, ou=Groups, then ldapadd LDIF for users and groups, configure pam_ldap and nsswitch
4Drill /etc/exports option semantics: rw vs ro, sync vs async, no_root_squash (dangerous), all_squash, anonuid/anongid
5Memorize iptables chain order: PREROUTING (nat,mangle) → INPUT (filter) for local; PREROUTING → FORWARD → POSTROUTING for routed
6nftables modern syntax: 'nft add table inet filter; add chain inet filter input { type filter hook input priority 0\; policy drop\; }; add rule inet filter input ct state established,related accept'
7Postfix main.cf essentials: myhostname, mydomain, myorigin, inet_interfaces, mydestination, mynetworks, smtpd_recipient_restrictions

Frequently Asked Questions

What is the LPIC-2 202-450 exam?

Exam 202-450 is Part 2 of 2 for LPIC-2 Linux Engineer. It validates the ability to install, configure, and secure common Linux network services: BIND DNS, Apache/Nginx, Samba/NFS, DHCP, PAM/LDAP, Postfix/Dovecot, and host security including iptables/nftables, OpenVPN, and OpenSSH.

What is the largest topic on Exam 202-450?

System Security at weight 14 — by far the largest single topic. It covers iptables/nftables firewalling, OpenSSH hardening, OpenVPN, IPsec awareness, FTP servers, and security audit tools. HTTP Services and Network Client Management tie for second at weight 11 each.

Do I need LPIC-1 to be awarded LPIC-2?

Yes. You may sit Exam 202-450 without active LPIC-1, but the LPIC-2 credential is only awarded once you hold active LPIC-1 and have passed both 201-450 and 202-450. LPI publishes the linkage on the LPIC-2 overview page.

How is Exam 202-450 structured?

60 questions in 90 minutes — multiple-choice and fill-in-the-blank. Scaled scoring 200-800 with 500 to pass. Fill-in-the-blank items demand exact configuration directive names, paths, and option flags (e.g., 'allow-query', '/etc/exports', '-A INPUT').

How much does Exam 202-450 cost?

$200 USD per attempt at standard pricing. Reduced regional pricing of $165 or $132 is available. Each attempt requires its own voucher purchased through LPI Marketplace or Pearson VUE.

Where can I take the LPIC-2 202-450 exam?

Pearson VUE testing centers worldwide, or remotely via LPI OnVUE online proctored. OnVUE requires a webcam, microphone, government-issued photo ID, and a clean uninterrupted room. Schedule via lpi.org or pearsonvue.com/lpi.

How does LPIC-2 prepare me for LPIC-3?

Active LPIC-2 is a prerequisite for any LPIC-3 specialization (300 Mixed Environment, 303 Security, 305 Virtualization and Containerization, 306 High Availability and Storage Clusters). Each LPIC-3 exam is a single 90-minute exam — no second part.