Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-12774 | DNS0482 | SV-13339r3_rule | ECSC-1 | Medium |
Description |
---|
If remote servers to which DoD DNS servers send queries are controlled by entities outside of the U.S. Government the possibility of a DNS attack is increased. The Enterprise Recursive Service (ERS) provides the ability to apply enterprise-wide policy to all recursive DNS traffic that traverses the NIPRNet-to-Internet boundary. All recursive DNS servers on the NIPRNet must be configured to exclusively forward DNS traffic traversing NIPRNet-to-Internet boundary to the ERS anycast IPs. Organizations need to carefully configure any forwarding that is being used by their caching name servers. They should only configure "forwarding of all queries" to servers within the DoD. Systems configured to use domain-based forwarding should not forward queries for mission critical domains to any servers that are not under the control of the US Government. |
STIG | Date |
---|---|
BIND DNS STIG | 2015-01-05 |
Check Text ( C-9299r2_chk ) |
---|
BIND This check applies to caching servers only. Review the named.conf file to validate that BIND is configured to forward all DNS traffic to the DISA Enterprise Recursive Service (ERS) anycast IP addresses (214.16.26.1, 214.27.166.1, 214.71.0.1). The global options section of the named.conf should contain the following: forward only; forwarders { 214.16.26.1; 214.27.166.1; 214.71.0.1; }; If the named.conf options are not set to forward queries only to the ERS anycast IPs, this is a finding. Some DNS servers are preconfigured, the defaults must be changed. Windows DNS: This check does not apply to Windows DNS servers as they should not be deployed as a caching name server. The use of forwarders is prohibited on Windows 2003 and 2008 DNS. Windows servers should not have any forwarding enabled. This can be configured from the client side stub resolver. However if this should change, Windows DNS servers will also be required to forward queries only to the ERS anycast IPs. |
Fix Text (F-12296r2_fix) |
---|
The SA will ensure the forwarding configuration of DNS prohibits forwarding of queries to any servers other than those defined by Enterprise Recursive Service (ERS). |