Dynamic updates are not cryptographically authenticated.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4481	DNS0450	SV-4481r2_rule	DCNR-1	High

Description
The dynamic update capability has considerable appeal in an environment in which IP addresses change so frequently that it would be unacceptably burdensome or expensive to dedicate the time of a DNS database administrator to this function. This condition would likely be met at sites that rely on the Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to client devices such as workstations, laptops, and IP telephones. It would also apply to sites that utilize frequently changing service (SRV) records. On the other hand, dynamic updates can pose a security risk if the proper security controls are not implemented. When dynamic updates are permitted without any mitigating controls, a host with network access to the name server can modify any zone record with an appropriately crafted dynamic update request. The solution is to require cryptographic authentication of all dynamic update requests, but not all DNS software supports this functionality.

Description

The dynamic update capability has considerable appeal in an environment in which IP addresses change so frequently that it would be unacceptably burdensome or expensive to dedicate the time of a DNS database administrator to this function. This condition would likely be met at sites that rely on the Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to client devices such as workstations, laptops, and IP telephones. It would also apply to sites that utilize frequently changing service (SRV) records. On the other hand, dynamic updates can pose a security risk if the proper security controls are not implemented. When dynamic updates are permitted without any mitigating controls, a host with network access to the name server can modify any zone record with an appropriately crafted dynamic update request. The solution is to require cryptographic authentication of all dynamic update requests, but not all DNS software supports this functionality.

STIG	Date
BIND DNS STIG	2015-10-01

Details

Check Text ( C-3528r1_chk )
BIND Instruction: The reviewer should review the configuration files and check each zone statement for the presence of the allow-update phrase, which enables cryptographically authenticated dynamic updates: The reviewer should identify the allow-update phrase. The following example disables dynamic updates: allow-update {none;}; In addition, the absence of the allow-update clause will deny updates by default. If dynamic updates are not disabled, as shown in the above example, they must be cryptographically authenticated as shown in the below example. The following example demonstrates cryptographically authenticated dynamic updates: allow-update {key ns1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil; }; If dynamic updates are not disabled or cryptographically authenticated, then this is a finding. Windows 2000/2003 DNS Instruction: In the presence of the reviewer, the SA must review the “Properties” dialog box, select the “General” tab, and check to see if dynamic updates are allowed. If dynamic updates are enabled, ensure that “Only secure updates” has been selected. If this is not the case, then this is a finding.

Check Text ( C-3528r1_chk )

BIND

Instruction: The reviewer should review the configuration files and check each zone statement for the presence of the allow-update phrase, which enables cryptographically authenticated dynamic updates:

The reviewer should identify the allow-update phrase. The following example disables dynamic updates:

allow-update {none;};

In addition, the absence of the allow-update clause will deny updates by default.
If dynamic updates are not disabled, as shown in the above example, they must be cryptographically authenticated as shown in the below example.

The following example demonstrates cryptographically authenticated dynamic updates:

allow-update {key ns1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil;
};

If dynamic updates are not disabled or cryptographically authenticated, then this is a finding.

Windows 2000/2003 DNS

Instruction: In the presence of the reviewer, the SA must review the “Properties” dialog box, select the “General” tab, and check to see if dynamic updates are allowed. If dynamic updates are enabled, ensure that “Only secure updates” has been selected. If this is not the case, then this is a finding.

Fix Text (F-4366r1_fix)
For BIND implementations, the DNS software administrator must ensure that each zone statement in named.conf contains the phrase allow update{none;}; to disable dynamic updates or allow-update {key ks1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil;}; (this is an example key name) to encrypt dynamic updates. For Windows 2000 DNS, disable dynamic updates or if dynamic updates are allowed via the General tab within the Properties dialog box, the DNS software administrator should select Only secure updates. In cases in which the name server is not running BIND or Windows 2000 DNS, the DNS software administrator must determine how to disable dynamic updates or encrypt them. If this is not possible, then the product must be replaced as soon as it is feasible to do so.

Fix Text (F-4366r1_fix)

For BIND implementations, the DNS software administrator must ensure that each zone statement in named.conf contains the phrase allow update{none;}; to disable dynamic updates or allow-update {key ks1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil;}; (this is an example key name) to encrypt dynamic updates. For Windows 2000 DNS, disable dynamic updates or if dynamic updates are allowed via the General tab within the Properties dialog box, the DNS software administrator should select Only secure updates. In cases in which the name server is not running BIND or Windows 2000 DNS, the DNS software administrator must determine how to disable dynamic updates or encrypt them. If this is not possible, then the product must be replaced as soon as it is feasible to do so.