The DNS server will not use a statically configured source port for all DNS query traffic.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-24996 | DNS4720 | SV-45114r1_rule | ECSC-1 | High |
| Description |
|---|
| DNS UDP queries are being used for performance reasons. DNS Servers act upon the first response that matches similar characteristics of the outbound query which can be forged. Forged responses are the query source port (usually an “ephemeral” port above 1024), the responding IP address, the DNS transaction ID, and the Question section of the outgoing query. In the DNS protocol specification, none of these are required to have a great degree of randomness or unpredictability which makes certain attacks possible. |
| STIG | Date |
|---|---|
| BIND DNS | 2013-01-10 |
Details
| Check Text ( C-42586r3_chk ) |
|---|
| Locate and examine the named.conf file. Find the 'options' statement and ensure it does not contain the the ‘query-source’ statement with a static ‘port’ defined. For example; query-source port 1043; The port number may be different, but the primary line of concern is the use of the query-source configuration statement without randomized source ports which is the default setting. If there is an operational need for the 'query-select' statement, the 'address' parameter may be used as long as the ports remain randomized. An acceptable example is; query-source address 192.168.3.19; However the following would not be allowed; query-source address 192.168.3.19 port 1043; If no 'query-source' statement is defined, this is not a finding. If a 'query-source' statement is used with a static port defined, this is a finding. |
| Fix Text (F-27639r1_fix) |
|---|
| Upgrade to at least the required software version as specified in IAVA 2008-A-0045 and ensure the named.conf does not contain any statements containing query-source. |