UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Valid root name servers do not appear in the local root zone file. G and H root servers, at a minimum, do not appear in the local root zone files.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4491 DNS0500 SV-4491r1_rule ECSC-1 High
Description
All caching name servers must be authoritative for the root zone because without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers clients. When authoritative servers are sent queries for zones that they are not authoritative for, and they are configured as a non-caching server (as recommended), they can either be configured to return a referral to the root servers or they can be configured to refuse to answer the query. The recommendation is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server, and allows it to spend more of its resources doing what its intended purpose is; answering authoritatively for its zone. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name server’s clients.
STIG Date
BIND DNS 2013-01-10

Details

Check Text ( C-3556r1_chk )
BIND

Instruction: This check is only applicable to caching name servers. Review the entries within the root hints file and validate that the entries are correct. Common names for the root hints file are root.hints, named.cache, or db.cache. The name is configurable within the named.conf file. Refer to the DNS Checklist for the correct entries.

Windows DNS

Instruction: This check only applies if the name server is a caching name server, the Windows DNS servers are to only be configured as master name servers. This requirement is only valid if the Windows DNS server is configured as a caching server, which would result in another finding. If the server is configured as a caching server, examine the DNS server properties by right clicking the server and selecting properties from the DNS Management console snap-in. Examine the entries under the Root Hints tab to ensure they are the same as the table below. These addresses are only valid for the NIPRNET.

In cases in which the name server is not running BIND or Windows DNS, the reviewer must still examine the configuration and its documentation to validate this requirement
Fix Text (F-4376r1_fix)
The DNS database administrator should configure the root hints file with these valid listed IP addresses.
A.ROOT-SERVERS.NET. 198.41.0.4
B.ROOT-SERVERS.NET. 192.228.79.201
C.ROOT-SERVERS.NET. 192.33.4.12
D. ROOT-SERVERS.NET. 128.8.10.90
E. ROOT-SERVERS.NET. 192.203.230.10
F. ROOT-SERVERS.NET. 192.5.5.241
G. ROOT-SERVERS.NET. 192.112.36.4
H. ROOT-SERVERS.NET. 128.63.2.53
I. ROOT-SERVERS.NET. 192.36.148.17
J. ROOT-SERVERS.NET. 192.58.128.30
K. ROOT-SERVERS.NET. 193.0.14.129
L. ROOT-SERVERS.NET. 199.7.83.42
M. ROOT-SERVERS.NET. 202.12.27.33

Root server IP addresses for the SIPRNet can be obtained by contacting the Network Information Center (DoD NIC), https://www.nic.mil.