Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3020 | NET0820 | SV-15330r2_rule | Low |
Description |
---|
The susceptibility of IP addresses to spoofing translates to DNS host name and IP address mapping vulnerabilities. For example, suppose a source host wishes to establish a connection with a destination host and queries a DNS server for the IP address of the destination host name. If the response to this query is the IP address of a host operated by an attacker, the source host will establish a connection with the attackers host, rather than the intended target. The user on the source host might then provide logon, authentication, and other sensitive data. |
STIG | Date |
---|---|
Perimeter Router Security Technical Implementation Guide Cisco | 2016-07-07 |
Check Text ( C-12796r2_chk ) |
---|
Review the device configuration to ensure that DNS servers have been defined if it has been configured as a client resolver (name lookup). The configuration should look similar to one of the following examples: ip domain-lookup ip name-server 192.168.1.253 or no ip domain-lookup The first configuration example has DNS lookup enabled and hence has defined its DNS server. The second example has DNS lookup disabled. Note: ip domain-lookup is enabled by default. Hence it may not be shown—depending on the IOS release. If it is enabled, it will be shown near the beginning of the configuration. |
Fix Text (F-3045r2_fix) |
---|
Configure the device to include DNS servers or disable domain lookup. |