2.3 Ensure 'DNS Guard' is enabled

Information

Enables the protection against DNS cache poisoning attacks

Rationale:

A DNS cache is poisoned when it contains incorrect entries that redirect traffic to an attacker website. When the DNS queries performed towards legitimate DNS servers, attackers can spoof the Identifier of the DNS header along with the DNS caching server UDP port in order to provide a reply as from an authoritative DNS server. The DNS Guard function helps eliminating subsequent replies coming after the authoritative server reply.

Solution

Run the following command to enable the DNS Guard function.

hostname(config)# dns-guard

Default Value:

The function is disabled for the related software versions

See Also

https://workbench.cisecurity.org/benchmarks/7194

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-2(1), 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|11.1

Plugin: Cisco

Control ID: 2d6ba093f77440e034411bc7dbe8d23ce624ecc7af69f39701060fa9d8cd5a0d