UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The forwarding configuration of DNS servers must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. Government.


Overview

Finding ID Version Rule ID IA Controls Severity
V-12774 DNS0482 SV-13339r3_rule ECSC-1 Medium
Description
If remote servers to which DoD DNS servers send queries are controlled by entities outside of the U.S. Government the possibility of a DNS attack is increased. The Enterprise Recursive Service (ERS) provides the ability to apply enterprise-wide policy to all recursive DNS traffic that traverses the NIPRNet-to-Internet boundary. All recursive DNS servers on the NIPRNet must be configured to exclusively forward DNS traffic traversing NIPRNet-to-Internet boundary to the ERS anycast IPs. Organizations need to carefully configure any forwarding that is being used by their caching name servers. They should only configure "forwarding of all queries" to servers within the DoD. Systems configured to use domain-based forwarding should not forward queries for mission critical domains to any servers that are not under the control of the US Government.
STIG Date
BIND DNS STIG 2015-01-05

Details

Check Text ( C-9299r2_chk )
BIND

This check applies to caching servers only. Review the named.conf file to validate that BIND is configured to forward all DNS traffic to the DISA Enterprise Recursive Service (ERS) anycast IP addresses (214.16.26.1, 214.27.166.1, 214.71.0.1).

The global options section of the named.conf should contain the following:

forward only;
forwarders { 214.16.26.1; 214.27.166.1; 214.71.0.1; };

If the named.conf options are not set to forward queries only to the ERS anycast IPs, this is a finding. Some DNS servers are preconfigured, the defaults must be changed.

Windows DNS:

This check does not apply to Windows DNS servers as they should not be deployed as a caching name server.

The use of forwarders is prohibited on Windows 2003 and 2008 DNS. Windows servers should not have any forwarding enabled. This can be configured from the client side stub resolver. However if this should change, Windows DNS servers will also be required to forward queries only to the ERS anycast IPs.
Fix Text (F-12296r2_fix)
The SA will ensure the forwarding configuration of DNS prohibits forwarding of queries to any servers other than those defined by Enterprise Recursive Service (ERS).