The DNS server will not use a statically configured source port for all DNS query traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24996	DNS4720	SV-45114r1_rule	ECSC-1	High

Description
DNS UDP queries are being used for performance reasons. DNS Servers act upon the first response that matches similar characteristics of the outbound query which can be forged. Forged responses are the query source port (usually an “ephemeral” port above 1024), the responding IP address, the DNS transaction ID, and the Question section of the outgoing query. In the DNS protocol specification, none of these are required to have a great degree of randomness or unpredictability which makes certain attacks possible.

Description

DNS UDP queries are being used for performance reasons. DNS Servers act upon the first response that matches similar characteristics of the outbound query which can be forged. Forged responses are the query source port (usually an “ephemeral” port above 1024), the responding IP address, the DNS transaction ID, and the Question section of the outgoing query. In the DNS protocol specification, none of these are required to have a great degree of randomness or unpredictability which makes certain attacks possible.

STIG	Date
BIND DNS	2013-01-10

Details

Check Text ( C-42586r3_chk )
Locate and examine the named.conf file. Find the 'options' statement and ensure it does not contain the the ‘query-source’ statement with a static ‘port’ defined. For example; query-source port 1043; The port number may be different, but the primary line of concern is the use of the query-source configuration statement without randomized source ports which is the default setting. If there is an operational need for the 'query-select' statement, the 'address' parameter may be used as long as the ports remain randomized. An acceptable example is; query-source address 192.168.3.19; However the following would not be allowed; query-source address 192.168.3.19 port 1043; If no 'query-source' statement is defined, this is not a finding. If a 'query-source' statement is used with a static port defined, this is a finding.

Check Text ( C-42586r3_chk )

Locate and examine the named.conf file. Find the 'options' statement and ensure it does not contain the the ‘query-source’ statement with a static ‘port’ defined. For example;

query-source port 1043;

The port number may be different, but the primary line of concern is the use of the query-source configuration statement without randomized source ports which is the default setting.

If there is an operational need for the 'query-select' statement, the 'address' parameter may be used as long as the ports remain randomized. An acceptable example is;

query-source address 192.168.3.19;

However the following would not be allowed;

query-source address 192.168.3.19 port 1043;

If no 'query-source' statement is defined, this is not a finding.
If a 'query-source' statement is used with a static port defined, this is a finding.

Fix Text (F-27639r1_fix)
Upgrade to at least the required software version as specified in IAVA 2008-A-0045 and ensure the named.conf does not contain any statements containing query-source.