All DNS caching resolvers (A/K/A “recursive name servers”) will have port and Query ID randomization enabled for all DNS querypackets/frames.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24997	DNS4730	SV-30737r1_rule	ECSC-1	Medium

Description
DNS queries are normally conducted over UDP for performance reasons, although the protocol will fall back to TCP in certain cases. Unfortunately, the lack of a true bi-directional connection in UDP greatly simplifies certain attacks that involve forged packets. While the connectionless UDP is in use, DNS servers will typically treat the first DNS response that matches certain characteristics of the outgoing query as the true response, and act upon the information provided. The relevant characteristics for a valid or forged response are the query source port (usually an “ephemeral” port above 1024), the responding IP address, the DNS transaction ID, and the Question section of the outgoing query. In the DNS protocol specification, none of these are required to have a great degree of randomness or unpredictability which makes certain attacks possible. Eugene Kashpureff demonstrated a fairly simple but effective attack in 1997, which led to software improvements that included verification that information included in the response was in fact something for which the responding server should be trusted (referred to as “in bailiwick”). Because this issue is fundamental to the DNS protocol over UDP, the IETF has devised the DNS Security Extensions (DNSSEC) and Transaction Authentication (TSIG) as protocol extensions to provide methods for cryptographic validation of data. TSIG has been widely adopted and has been a DNS STIG requirement for several years, but DNSSEC has only recently become sufficiently mature and supported to be suitable for operational deployment. Until DNSSEC is fully deployed, attacks on DNS-over-UDP, including cache poisoning attacks, will continue to be effective.

Description

DNS queries are normally conducted over UDP for performance reasons, although the protocol will fall back to TCP in certain cases. Unfortunately, the lack of a true bi-directional connection in UDP greatly simplifies certain attacks that involve forged packets. While the connectionless UDP is in use, DNS servers will typically treat the first DNS response that matches certain characteristics of the outgoing query as the true response, and act upon the information provided. The relevant characteristics for a valid or forged response are the query source port (usually an “ephemeral” port above 1024), the responding IP address, the DNS transaction ID, and the Question section of the outgoing query. In the DNS protocol specification, none of these are required to have a great degree of randomness or unpredictability which makes certain attacks possible. Eugene Kashpureff demonstrated a fairly simple but effective attack in 1997, which led to software improvements that included verification that information included in the response was in fact something for which the responding server should be trusted (referred to as “in bailiwick”). Because this issue is fundamental to the DNS protocol over UDP, the IETF has devised the DNS Security Extensions (DNSSEC) and Transaction Authentication (TSIG) as protocol extensions to provide methods for cryptographic validation of data. TSIG has been widely adopted and has been a DNS STIG requirement for several years, but DNSSEC has only recently become sufficiently mature and supported to be suitable for operational deployment. Until DNSSEC is fully deployed, attacks on DNS-over-UDP, including cache poisoning attacks, will continue to be effective.

STIG	Date
BIND DNS STIG	2015-10-01

Details

Check Text ( C-31147r1_chk )
Locate the named.conf file. To determine if this is a recursive server look for the following statement; recursion yes; After determining this is a recursive server, determine the version of bind on the machine by running: named -v. Port and query randomization are enabled by default in BIND versions 9.3.5-P1, 9.4.2-P1, 9.5.0-P1 and greater. The absence of the query-source statement in the acceptable versions indicates the port and query randomization is in use. If the query-source statement is found and in use, then this is a finding.

Check Text ( C-31147r1_chk )

Locate the named.conf file. To determine if this is a recursive server look for the following statement;
recursion yes;

After determining this is a recursive server, determine the version of bind on the machine by running: named -v. Port and query randomization are enabled by default in BIND versions 9.3.5-P1, 9.4.2-P1, 9.5.0-P1 and greater. The absence of the query-source statement in the acceptable versions indicates the port and query randomization is in use. If the query-source statement is found and in use, then this is a finding.

Fix Text (F-27640r1_fix)
Upgrade to the required software stated in 2008-A-0045 and ensure the query-source statement is not configured in the named.conf file.