UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS server will not use a statically configured source port for all DNS query traffic.


Overview

Finding ID Version Rule ID IA Controls Severity
V-24996 DNS4720 SV-30736r1_rule ECSC-1 High
Description
DNS UDP queries are being used for performance reasons. DNS Servers act upon the first response that matches similar characteristics of the outbound query which can be forged. Forged responses are the query source port (usually an “ephemeral” port above 1024), the responding IP address, the DNS transaction ID, and the Question section of the outgoing query. In the DNS protocol specification, none of these are required to have a great degree of randomness or unpredictability which makes certain attacks possible.
STIG Date
BIND DNS 2011-01-20

Details

Check Text ( C-31145r1_chk )
Locate and examine the named.conf file. Find the 'options' statement and ensure it does not contain the following entry;
query-source port 53;

The port number may be different, but the primary line of concern is the query-source configuration statement which is an indication of not using randomized source ports.
Fix Text (F-27639r1_fix)
Upgrade to at least the required software version as specified in IAVA 2008-A-0045 and ensure the named.conf does not contain any statements containing query-source.