cancel
Showing results for 
Search instead for 
Did you mean: 

PCI Compliance Failure

ewmoore
Newbie
Posts: 2
Registered: 2 weeks ago

PCI Compliance Failure

I recently failed PCI compliance scan on the following:

 

- DNS Server Recursive Query Cache Poisoning Weakness

- DNS Server Cache Snooping Remote Information Disclosure

 

Plusnet told me the routers do not come PCI compliant as standard as their routers are designed purely for broadband connection, and pointed me towards portforward.com. Portforward directed me to "create the port forward entries in your router" but I have no idea how to go about this. The PCI compliance company told me to show Plusnet the scan results for the port 53 UDP fault and they would be able to implement the solution, but they just say they are unable to advise.

 

Any idea how I can rectify this?

3 REPLIES
corringham
Pro
Posts: 216
Thanks: 114
Fixes: 2
Registered: ‎25-09-2015

Re: PCI Compliance Failure

Plusnet are not really a business ISP. They do sell broadband to businesses, and have a separate tariff for business customers (and provide VAT invoices), but that is about the limit of it.

They are cheaper than most business ISPs, and for some businesses that makes them a good choice. However, they don't offer the features a lot of businesses need (PCI compliance, SSL,  IPv6 etc). They don't even really understand what's required - portforward.com is intended for gamers, not businesses, and won't solve your DNS issues.

Depending on your router you may be able to change your DNS settings, which may help.

Superuser
Superuser
Posts: 6,969
Thanks: 999
Fixes: 60
Registered: ‎30-07-2007

Re: PCI Compliance Failure

@ewmoore as @corringham says I wouldn't expect PN to be able to help.

This post https://forum.mikrotik.com/viewtopic.php?t=50640 makes intereseting reading and seems to indicate that the PCI compliance systems are being 'picky' about these checks. That link suggests that the only way is to get the router firewall to REJECT UDP port 53 requests rather than just DROP them. AFAIK neither of the PN supplied routers ( the Hub zero or Hub one ) have sufficient ability to control the firewall to that extent.

Do the PCI people have a list of certified routers ? if so then we could possibly advise which of those would be able to be used with PN ( probably most of them )

 

ewmoore
Newbie
Posts: 2
Registered: 2 weeks ago

Re: PCI Compliance Failure

Thanks for the advice, I shall see if I can further adjust the DNS settings.