Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3020 | NET0820 | SV-41503r1_rule | ECSC-1 | Low |
Description |
---|
The susceptibility of IP addresses to spoofing translates to DNS host name and IP address mapping vulnerabilities. For example, suppose a source host wishes to establish a Telnet connection with a destination host and queries a DNS server for the IP address of the destination host name. If the response to this query is the IP address of a host operated by an attacker, the source host will establish a connection with the attackers host, rather than the intended target. The user on the source host might then provide logon, authentication, and other sensitive data. |
STIG | Date |
---|---|
Firewall Security Technical Implementation Guide - Cisco | 2013-10-08 |
Check Text ( C-39985r1_chk ) |
---|
Review the device configuration to ensure that DNS servers have been defined if it has been configured as a client resolver (name lookup). The configuration should look similar to one of the following examples: dns domain-lookup inside dns domain-lookup dmz dns name-server 192.168.1.22 dns name-server 101.14.8.55 Note: DNS lookup on the PIX and ASA is disabled by default. |
Fix Text (F-3045r2_fix) |
---|
Configure the device to include DNS servers or disable domain lookup. |