Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14757 | DNS4610 | SV-15514r1_rule | ECSC-1 | Low |
Description |
---|
DNS is only responsible for resolving a domain name to an ip address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned. With this in mind, a denial of service could easily be implemented for an application that is not IPv6 aware. When the application receives an i.p. address in hexadecimal, it is up to the application/operating system to decide how to handle the response. Combining both IPv6 and IPv4 records into the same domain can lead to application problems that are beyond the scope of the DNS administrator. |
STIG | Date |
---|---|
BIND DNS STIG | 2015-01-05 |
Check Text ( C-12980r1_chk ) |
---|
BIND • Instruction: Examine all zone statements contained in the named.conf file for a line containing the word file designating the actual file that stores the zones records. Examine the file that contains zones records and verify IPv6 and IPv4 resource records are not in the same file. If the records are found in the same file, then this is a finding. Windows DNS Instruction: From the Windows task bar, select Start, Programs/All Programs, Administrative Tools, DNS to open the DNS management console. Expand the Forward Lookup Zones folder. Expand each zone folder and examine the host record entries. The third column titled Data will display the IP. Verify this column does not contain both IPv4 and IPv6 addresses. |
Fix Text (F-14235r1_fix) |
---|
The SA should remove the IPv6 records from the IPv4 zone and create a second zone with all IPv6 records. |