UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Zone-spanning CNAME records, that point to a zone with lesser security, are active for more than six months.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4469 DNS0235 SV-4469r1_rule ECSC-1 Low
Description
The use of CNAME records for exercises, tests or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an adversary has two points of attack the zone in which the alias is defined and the zone authoritative for the aliases canonical name. This configuration also reduces the speed of client resolution because it requires a second lookup after obtaining the canonical name. Furthermore, in the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers and thus compounding the vulnerability.
STIG Date
BIND DNS 2013-07-08

Details

Check Text ( C-3432r1_chk )
BIND
The zone file location can be found by examining the named.conf and searching for the zone statement. Within the zone statement will be a file option that will display the name of the zone file. The record type column will display CNAME. This is usually the third or fourth field in a record depending if the TTL value is utilized. Without a TTL value, the CNAME type will be in the third field, otherwise it will display as the fourth field. Review the zone files and the DNS zone record documentation to confirm that there are no CNAME records older than 6 months. If there are CNAME records older than 6 months, then this is a finding.

Windows
Open the DNS management snap in for the Administrative Tools menu. Expand the Forward Lookup Zones folder. Review the type column for each record to locate those with a type of Alias (CNAME). Ask the DNS administrator to see the database with the record documentation is stored to confirm there are not CNAME records older than 6 months.
Fix Text (F-4354r1_fix)
The DNS database administrator should remove any zone-spanning CNAME records that have been active for more than six months.