Cisco Certified Network Associate Exam | 200-125 | DNS Spoofing Conditions

Understand the Conditions for DNS Spoofing Enabled on a Device

Prev Question Next Question


After you configure the ip dns spoofing command globally on a device, under which two conditions is DNS spoofing enabled on the device? (Choose two.)



Click on the arrows to vote for the correct answer

A. B. C. D. E.


DNS spoofing is designed to allow a router to act as a proxy DNS server and "spoof" replies to any DNS queries using either the configured IP address in command or the IP address of the incoming interface for the query. This feature is useful for devices where the interface toward the Internet service provider (ISP) is not up. Once the interface to the ISP is up, the router forwards DNS queries to the real DNS servers.

This feature turns on DNS spoofing and is functional if any of the following conditions are true:

-> The no ip domain lookup command is configured.

-> IP name server addresses are not configured.

-> There are no valid interfaces or routes for sending to the configured name server addresses.

The "ip dns spoofing" command is a global configuration command that enables DNS spoofing on a Cisco device. DNS spoofing is a type of attack where a malicious user can modify the DNS responses to redirect the victim to a different IP address than intended, usually with the aim of stealing information or executing other attacks.

After you configure the "ip dns spoofing" command globally on a device, the following two conditions enable DNS spoofing:

  1. The "no ip domain lookup" command is configured: This command disables DNS lookups on the device, so the device will not attempt to resolve domain names to IP addresses using DNS. This makes the device more vulnerable to DNS spoofing attacks because it will not verify the IP addresses of the servers it is communicating with.

  2. All configured IP name server addresses are removed: If there are no configured IP name servers on the device, then the device will not be able to verify the IP addresses of the servers it is communicating with, making it more vulnerable to DNS spoofing attacks.

Answers A and E are incorrect because the "ip host" command is not related to DNS spoofing, and the DNS server queue limit does not affect the ability to enable DNS spoofing. Answer B is also incorrect because removing the "ip dns spoofing" command addresses would simply disable the DNS spoofing configuration, not enable it. Answer C is partially correct, but it is not the only condition that enables DNS spoofing.