Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-24996 | DNS4720 | SV-30736r1_rule | ECSC-1 | High |
Description |
---|
DNS UDP queries are being used for performance reasons. DNS Servers act upon the first response that matches similar characteristics of the outbound query which can be forged. Forged responses are the query source port (usually an “ephemeral” port above 1024), the responding IP address, the DNS transaction ID, and the Question section of the outgoing query. In the DNS protocol specification, none of these are required to have a great degree of randomness or unpredictability which makes certain attacks possible. |
STIG | Date |
---|---|
BIND DNS | 2011-01-20 |
Check Text ( C-31145r1_chk ) |
---|
Locate and examine the named.conf file. Find the 'options' statement and ensure it does not contain the following entry; query-source port 53; The port number may be different, but the primary line of concern is the query-source configuration statement which is an indication of not using randomized source ports. |
Fix Text (F-27639r1_fix) |
---|
Upgrade to at least the required software version as specified in IAVA 2008-A-0045 and ensure the named.conf does not contain any statements containing query-source. |