UCF STIG Viewer Logo

A zone master server does not limit zone transfers to a list of active slave name servers authoritative for that zone.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4483 DNS0460 SV-4483r2_rule ECAN-1 Medium
Description
The risk to the master in this situation, is that it would honor a request from a host that is not an authorized slave, but rather an adversary seeking information about the zone. To protect against this possibility, the master must first have knowledge of what machines are authorized slaves.
STIG Date
BIND DNS STIG 2015-10-01

Details

Check Text ( C-3539r1_chk )
BIND

Instruction: This check is only applicable to zone master servers. If there are no allow-transfer phrases within named.conf, then this is a finding. If there are allow-transfer phrases, then check that there is one corresponding to each of the zone partners. If this is not the case, then this is also a finding.

If there are allow-transfer phrases for servers other than those supplied, then there may be a finding associated with the incompleteness of the list.

If the key statement references a file, then no other key statement should reference the same file.

If the key statement includes a character representation of the key itself (an improper configuration), then no other key statement should include the same character string.

On the master name server, this is an example of a configured allow-transfer phrase:

zone “disa.mil” {
type master;
file “db.disa.mil”;
allow-transfer {10.10.10.1; key ns1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil.; };
};

Windows 2000/2003 DNS
This check only applies for Windows DNS zones not integrated with active directory. From the DNS management console snap-in, expand the Forward Lookup zones branch, select the zone you want to configure and right click and select Properties. Select the Zone Transfer tab.
If “Allow zone transfers:” is checked, “Only to the following servers” must also be checked. The reviewer must validate the name servers listed. If this is not the case, then this is a finding
Fix Text (F-4368r1_fix)
The DNS software administrator should configure each zone master server to limit zone transfers to a list of active slaves authoritative for that zone. Configuration details may be found in the DNS STIG Section 4.2.8.