Title

Forwarders are not disabled on the CSS DNS. (Cat II impact)

Discussion

CSS DNS is not vulnerable to attacks associated with recursion because it does not support recursion, but does offer a forwarder feature that sends un-resolvable or unsupported requests to another name server. This feature poses a risk because the forwarder feature merely redirects potential attacks to another name server.

Check Content

In the presence of the reviewer, the CSS DNS administrator should enter the following command while in global configuration mode: show dns-server forwarder Confirm the DNS server forwarder primary and DNS server forwarder secondary are “Not Configured.” If either of these is configured, then this is a finding.

Fix Text

The CSS DNS administrator should disable forwarders by entering the following command while in global configuration mode: no dns-server forwarder primary (if a primary) or no dns-server forwarder secondary (if a secondary).

Additional Identifiers

Rule ID: SV-4510r1_rule

Vulnerability ID: V-4510

Group Title: Forwarders are not disabled on the CSS DNS.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.