Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-4491 | DNS0500 | SV-4491r1_rule | ECSC-1 | High |
Description |
---|
All caching name servers must be authoritative for the root zone because without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers clients. When authoritative servers are sent queries for zones that they are not authoritative for, and they are configured as a non-caching server (as recommended), they can either be configured to return a referral to the root servers or they can be configured to refuse to answer the query. The recommendation is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server, and allows it to spend more of its resources doing what its intended purpose is; answering authoritatively for its zone. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name server’s clients. |
STIG | Date |
---|---|
BIND DNS | 2013-01-10 |
Check Text ( C-3556r1_chk ) |
---|
BIND Instruction: This check is only applicable to caching name servers. Review the entries within the root hints file and validate that the entries are correct. Common names for the root hints file are root.hints, named.cache, or db.cache. The name is configurable within the named.conf file. Refer to the DNS Checklist for the correct entries. Windows DNS Instruction: This check only applies if the name server is a caching name server, the Windows DNS servers are to only be configured as master name servers. This requirement is only valid if the Windows DNS server is configured as a caching server, which would result in another finding. If the server is configured as a caching server, examine the DNS server properties by right clicking the server and selecting properties from the DNS Management console snap-in. Examine the entries under the Root Hints tab to ensure they are the same as the table below. These addresses are only valid for the NIPRNET. In cases in which the name server is not running BIND or Windows DNS, the reviewer must still examine the configuration and its documentation to validate this requirement |
Fix Text (F-4376r1_fix) |
---|
The DNS database administrator should configure the root hints file with these valid listed IP addresses. A.ROOT-SERVERS.NET. 198.41.0.4 B.ROOT-SERVERS.NET. 192.228.79.201 C.ROOT-SERVERS.NET. 192.33.4.12 D. ROOT-SERVERS.NET. 128.8.10.90 E. ROOT-SERVERS.NET. 192.203.230.10 F. ROOT-SERVERS.NET. 192.5.5.241 G. ROOT-SERVERS.NET. 192.112.36.4 H. ROOT-SERVERS.NET. 128.63.2.53 I. ROOT-SERVERS.NET. 192.36.148.17 J. ROOT-SERVERS.NET. 192.58.128.30 K. ROOT-SERVERS.NET. 193.0.14.129 L. ROOT-SERVERS.NET. 199.7.83.42 M. ROOT-SERVERS.NET. 202.12.27.33 Root server IP addresses for the SIPRNet can be obtained by contacting the Network Information Center (DoD NIC), https://www.nic.mil. |