For Ubuntu operating systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-215145 | UBTU-16-030520 | SV-215145r610931_rule | Low |
| Description |
|---|
| To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. |
| STIG | Date |
|---|---|
| Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide | 2020-12-09 |
Details
| Check Text ( C-16344r285303_chk ) |
|---|
| Determine whether the Ubuntu operating system is using local or Domain Name Server (DNS) name resolution with the following command: # grep hosts /etc/nsswitch.conf hosts: files dns If the DNS entry is missing from the host’s line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. If the "/etc/resolv.conf" file is not empty, this is a finding. If the DNS entry is found on the host’s line of the "/etc/nsswitch.conf" file, verify the Ubuntu operating system is configured to use two or more name servers for DNS resolution. Determine the name servers used by the system with the following command: # sudo grep nameserver /etc/resolv.conf nameserver 192.168.1.2 nameserver 192.168.1.3 If less than two lines are returned that are not commented out, this is a finding. |
| Fix Text (F-16342r285304_fix) |
|---|
| Configure the Ubuntu operating system to use two or more name servers for Domain Name Server (DNS) resolution. Edit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows: # echo -n > /etc/resolv.conf |