Details
Enables the protection against DNS cache poisoning attacks
Rationale:
A DNS cache is poisoned when it contains incorrect entries that redirect traffic to an attacker website. When the DNS queries performed towards legitimate DNS servers, attackers can spoof the Identifier of the DNS header along with the DNS caching server UDP port in order to provide a reply as from an authoritative DNS server. The DNS Guard function helps eliminating subsequent replies coming after the authoritative server reply.
Solution
Run the following command to enable the DNS Guard function.
hostname(config)# dns-guard
Default Value:
The function is disabled for the related software versions
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Cisco.