UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network element must have DNS servers defined if it is configured as a client resolver.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3020 NET0820 SV-41503r1_rule Low
Description
The susceptibility of IP addresses to spoofing translates to DNS host name and IP address mapping vulnerabilities. For example, suppose a source host wishes to establish a Telnet connection with a destination host and queries a DNS server for the IP address of the destination host name. If the response to this query is the IP address of a host operated by an attacker, the source host will establish a connection with the attackers host, rather than the intended target. The user on the source host might then provide logon, authentication, and other sensitive data.
STIG Date
Firewall Security Technical Implementation Guide - Cisco 2017-12-07

Details

Check Text ( C-39985r1_chk )
Review the device configuration to ensure that DNS servers have been defined if it has been configured as a client resolver (name lookup). The configuration should look similar to one of the following examples:
dns domain-lookup inside
dns domain-lookup dmz
dns name-server 192.168.1.22
dns name-server 101.14.8.55

Note: DNS lookup on the PIX and ASA is disabled by default.
Fix Text (F-3045r2_fix)
Configure the device to include DNS servers or disable domain lookup.