The forwarding configuration of DNS servers allows the forwarding of queries to servers controlled by organizations outside of the U.S. Government.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-12774	DNS0482	SV-13339r1_rule	ECSC-1	Medium

Description
A side-effect of forwarding is that if the link between the forwarding server and the server to which queries are being forwarded is broken, DNS resolution will not work for the domain or domains being forwarded to the remote server. Query forwarding also allows the administrators of the remote server to change the DNS responses that are received by the clients of the forwarding servers. Organizations need to carefully configure any forwarding that is being used by their caching name servers. They should only configure "forwarding of all queries" to servers within the DoD. Systems configured to use domain-based forwarding should not forward queries for mission critical domains to any servers that are not under the control of the US Government.

Description

A side-effect of forwarding is that if the link between the forwarding server and the server to which queries are being forwarded is broken, DNS resolution will not work for the domain or domains being forwarded to the remote server. Query forwarding also allows the administrators of the remote server to change the DNS responses that are received by the clients of the forwarding servers. Organizations need to carefully configure any forwarding that is being used by their caching name servers. They should only configure "forwarding of all queries" to servers within the DoD. Systems configured to use domain-based forwarding should not forward queries for mission critical domains to any servers that are not under the control of the US Government.

STIG	Date
BIND DNS	2013-01-10

Details

Check Text ( C-9299r1_chk )
BIND This check applies to caching servers only. Review the "options" statement in the named.conf file. The forwarders statement will have either a list of IP addresses or a name, which is defined by the ACL. Review the list of addresses for compliance. If they are outside of U.S. Government controlled IP address ranges, this is a finding. Some DNS servers are preconfigured, the defaults must be changed. Windows DNS: This check does not apply to Windows DNS servers as they should not be deployed as a caching name server. The use of forwarders is prohibited on Windows 2003 DNS. Windows servers should not have any forwarding enabled. This can be configured from the client side stub resolver.

Check Text ( C-9299r1_chk )

BIND

This check applies to caching servers only. Review the "options" statement in the named.conf file. The forwarders statement will have either a list of IP addresses or a name, which is defined by the ACL. Review the list of addresses for compliance. If they are outside of U.S. Government controlled IP address ranges, this is a finding. Some DNS servers are preconfigured, the defaults must be changed.

Windows DNS:

This check does not apply to Windows DNS servers as they should not be deployed as a caching name server.

The use of forwarders is prohibited on Windows 2003 DNS. Windows servers should not have any forwarding enabled. This can be configured from the client side stub resolver.

Fix Text (F-12296r1_fix)
The SA will ensure the forwarding configuration of DNS servers does not forward queries to any servers controlled by organizations outside the US Government.