CISCO CSS DNS

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

CISCO CSS DNS

Overview

Version	Date	Finding Count (10)			Downloads
4	2015-12-29 2011-01-20 2011-01-20 2011-01-20 2013-04-12 2013-07-08 2013-07-08 2013-07-08 2013-07-08 2013-07-08 2015-01-05 2015-01-05	CAT I (High): 1	CAT II (Med): 2	CAT III (Low): 7	Excel	JSON	XML

STIG Description
The CISCO CSS DNS Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC III - Administrative Sensitive)

Finding ID	Severity	Title	Description
V-4512	High	CSS DNS does not cryptographically authenticate APP sessions.	The risk to the CSS DNS in this situation is the CSS DNS peers do not authenticate each other, the sending and receiving of APP session data and peer communication may be with an adversary rather...
V-4507	Medium	The Cisco CSS DNS is utilized to host the organizations authoritative records and DISA Computing Services does not support that host in its csd.disa.mil domain and associated high-availability server infrastructure.	The primary security concern with regard to the type of delegation discussed is that to implement this approach, an organization would have to migrate its authoritative records from a well-known...
V-4510	Medium	Forwarders are not disabled on the CSS DNS.	CSS DNS is not vulnerable to attacks associated with recursion because it does not support recursion, but does offer a forwarder feature that sends un-resolvable or unsupported requests to another...
V-4508	Low	Zones are delegated with the CSS DNS.	Although it is technically possible to delegate zones within CSS DNS, there is almost never a rationale to do so because such delegation could be achieved as easily with BIND, which offers...
V-4509	Low	The CSS DNS does not transmit APP session data over an out-of-band network if one is available.	One can also limit APP communication to an out of band network, which would make it considerably more difficult for adversaries to spoof the addresses of peers or hijack APP sessions.
V-14756	Low	The DNS administrator will ensure non-routeable IPv6 link-local scope addresses are not configured in any zone. Such addresses begin with the prefixes of “FE8”, “FE9”, “FEA”, or “FEB”.	IPv6 link local scope addresses are not globally routable and must not be configured in any DNS zone. Similar to RFC1918, addresses, if a link-local scope address is inserted into a zone provided...
V-4506	Low	The shared secret in the APP session(s) was not a randomly generated 32 character text string.	The core requirements related to zone transfers are that an authoritative name server transfers zone information only to designated zone partners and that name servers only accept zone data when...
V-4467	Low	Record owners will validate their zones no less than annually. The DNS database administrator will remove all zone records that have not been validated in over a year.	If zone information has not been validated in over a year, then there is no assurance that it is still valid. If invalid records are in a zone, then an adversary could potentially use their...
V-14757	Low	AAAA addresses are configured on a host that is not IPv6 aware.	DNS is only responsible for resolving a domain name to an ip address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned. With this in...
V-4469	Low	Zone-spanning CNAME records, that point to a zone with lesser security, are active for more than six months.	The use of CNAME records for exercises, tests or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an...