Title

Network devices must have DNS servers defined if it is configured as a client resolver. (Cat III impact)

Discussion

The susceptibility of IP addresses to spoofing translates to DNS host name and IP address mapping vulnerabilities. For example, suppose a source host wishes to establish a connection with a destination host and queries a DNS server for the IP address of the destination host name. If the response to this query is the IP address of a host operated by an attacker, the source host will establish a connection with the attacker's host, rather than the intended target. The user on the source host might then provide logon, authentication, and other sensitive data.

Check Content

Review the device configuration to ensure DNS servers have been defined if it has been configured as a client resolver (name lookup). If the device is configured as a client resolver and DNS servers are not defined, this is a finding.

Fix Text

Configure the device to include DNS servers or disable domain lookup.

Additional Identifiers

Rule ID:

Vulnerability ID: V-3020

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.