UCF STIG Viewer Logo

Recursion is not prohibited on an authoritative name server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4486 DNS0475 SV-4486r3_rule ECSC-1 Medium
Description
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to non-existent hosts (which constitutes a denial of service) or, worse, hosts that masquerade as legitimate ones to obtain sensitive data or passwords. To guard against poisoning, name servers authoritative for .mil domains should be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running two instances of the name server software on the same machine; one for the authoritative function and the other for the resolving function. In this design, each name server process may be bound to a different IP address or network interface to implement the required segregation.
STIG Date
BIND DNS STIG 2015-10-01

Details

Check Text ( C-47004r1_chk )
BIND

The reviewer should identify the recursion and allow-query phrases. They should look as follows:

Options {
recursion no;
allow-query {none;};
};

Zone “example.com” {
Type master;
File “db.example.com”;
Allow-query { address_match_list };
};

If either of these phrases is missing or have a value other than what is listed above, then this is a finding.

Windows 2003 DNS

Instruction: This check only applies if the name server is a master name server, the Windows DNS servers are to only be configured as master name servers.
Open the DNS management console snap-in. Right click on the server and select properties. If available, under the forwarders tab ensure enable forwarders is not selected. If “Enable forwarders” is checked, this constitutes a finding.
Also examine the “Advanced” tab of the DNS server “Properties” dialog box. If “Disable recursion” is not checked, then this is a finding.
Fix Text (F-4371r1_fix)
The DNS Administrator should configure the authoritative name server to prohibit recursion. Configuration details may be found in the DNS STIG.