Leaked DNS Query Detection - ISATAP Request (IPv6)
Low Nessus Network Monitor Plugin ID 7203
SynopsisAn internal IPv6 routing query has leaked to the public realm via DNS.
DescriptionISATAP, or Intra-Site Automatic Tunnel Addressing Protocol is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network. Traffic observed from this host indicates it has queried the network for an available ISATAP host to supply the PRL, or potential routers list. Through an error in DNS configuration, the remote host has sent an ISATAP request to the public realm, potentially allowing for a man-in-the-middle (MiTM) attack to take place. A determined attacker who is able to register a gTLD with the same domain name could theoretically serve a malicious PRL in response. This may result in IPv6 traffic from the affected host being redirected through an attacker-controlled gateway, unbeknownst to the user.
SolutionEnsure that any '6in4' or ISATAP traffic cannot pass through the firewall to reach external resources.