Information
The network element must have DNS servers defined if it is configured as a client resolver.
The susceptibility of IP addresses to spoofing translates to DNS host name and IP address mapping vulnerabilities. For example, suppose a source host wishes to establish a connection with a destination host and queries a DNS server for the IP address of the destination host name. If the response to this query is the IP address of a host operated by an attacker, the source host will establish a connection with the attackers host, rather than the intended target. The user on the source host might then provide logon, authentication, and other sensitive data.
Review the device configuration to ensure that DNS servers have been defined if it has been configured as a client resolver (name lookup). The configuration should look similar to one of the following examples:
ip domain-lookup
ip name-server 192.168.1.253
or
no ip domain-lookup
The first configuration example has DNS lookup enabled and hence has defined its DNS server. The second example has DNS lookup disabled.
NOTE: ip domain-lookup is enabled by default. Hence it may not be shown-depending on the IOS release. If it is enabled, it will be shown near the beginning of the configuration. If you don't allow the router to act as a DNS resolver you'll need to ensure 'no ip domain-lookup' is present in the configuration.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Configure the device to include DNS servers or disable domain lookup.