Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-4507 | DNS0905 | SV-4507r1_rule | ECSC-1 | Medium |
Description |
---|
The primary security concern with regard to the type of delegation discussed is that to implement this approach, an organization would have to migrate its authoritative records from a well-known DNS implementation with proven, tested security controls to a relatively new DNS implementation without similar controls. Therefore, this migration should only occur when the performance and availability advantages of CSS significantly outweigh the increased residual security risk of using a less mature technology. |
STIG | Date |
---|---|
CISCO CSS DNS | 2015-12-29 |
Check Text ( C-3408r1_chk ) |
---|
Determine whether the CSS DNS device is used as an authoritative name server. If the CSS DNS does maintain authoritative records, then this is a finding. The exception to this is if this CSS DNS device supports authoritative records for a host(s) within the csd.disa.mil domain, which is not a finding. Instruction: In the presence of the reviewer, the CSS DNS administrator should enter the following command while in global configuration mode: show dns-record statistics If any of the hosts have domain names outside of the csd.disa.mil domain, then this is a finding. |
Fix Text (F-4392r1_fix) |
---|
The CSS DSN administrator should use the following command while in global command mode; no dns-record, to remove domain records that do not support hosts in the csd.disa.mil domain. |