UCF STIG Viewer Logo

The network element must have DNS servers defined if it is configured as a client resolver.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3020 NET0820 SV-15331r2_rule Low
Description
The susceptibility of IP addresses to spoofing translates to DNS host name and IP address mapping vulnerabilities. For example, suppose a source host wishes to establish a connection with a destination host and queries a DNS server for the IP address of the destination host name. If the response to this query is the IP address of a host operated by an attacker, the source host will establish a connection with the attackers host, rather than the intended target. The user on the source host might then provide logon, authentication, and other sensitive data.
STIG Date
Infrastructure Router - Juniper Security Technical Implementation Guide 2017-09-28

Details

Check Text ( C-12797r2_chk )
Review the active configuration to ensure that DNS servers have been defined similar to the following example:

[edit system]
name server {
192.168.1.253;
192.168.1.254;
}

Note: Since JUNOS will not send a DNS query to resolve names to IP addresses if a name server is not defined, this will never be a finding.
Fix Text (F-3045r2_fix)
Configure the device to include DNS servers or disable domain lookup.