UCF STIG Viewer Logo

DNS Policy


Overview

Date Finding Count (23)
2015-12-29 CAT I (High): 4 CAT II (Med): 12 CAT III (Low): 7
STIG Description
The DNS Policy Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-13042 High An authoritative master name server does not have at least one and preferably two or more active slave servers for each of its zones. The slave server does not reside on a separate host.
V-13043 High Name servers authoritative for a zone are not located on separate network segments if the host records described in the zone are themselves located across more than one network segment.
V-14763 High The name server software on production name servers is not BIND, Windows 2003 or later DNS, or alternatives with equivalent vendor support, configured in a manner to satisfy the general security requirements listed in the STIG. The only currently approved alternative is CISCO CSS DNS.
V-13051 High The DNS server software is either installed on or enabled on an operating system that is no longer supported by the vendor.
V-13047 Medium The name server software on production name servers is not BIND, Windows 2003 or later DNS, or alternatives with equivalent security functionality and support, configured in a manner to satisfy the general security requirements listed in the STIG.
V-13044 Medium A zone includes hosts located in more than one building or site, yet at least one of the authoritative name servers supporting the zone is not as geographically and topologically distributed as the most remote host.
V-13040 Medium Written procedures for the replacement of cryptographic keys used to secure DNS transactions does not exist.
V-13041 Medium The IAO has not established written procedures for the process of updating zone records, who is authorized to submit and approve update requests, how the DNS administrator verifies the identity of the person from whom he/she received the request, and how the DNS administrator documents any changes made.
V-13048 Medium Hosts outside an enclave can directly query or request a zone transfer from a name server that resides on the internal network (i.e., not in a DMZ).
V-13314 Medium A zone or name server does not have a backup administrator.
V-13313 Medium The underlying operating system of the DNS server is not in compliance with the appropriate OS STIG.
V-13032 Medium A name server is not protected by equivalent or better physical access controls than the clients it supports.
V-13035 Medium DNS logs are not reviewed daily or a real-time log analysis or network management tool is not employed to immediately alert an administrator of critical DNS system messages.
V-13034 Medium The DNS log archival requirements do not meet or exceed the log archival requirements of the operating system on which the DNS software resides.
V-13039 Medium Configuration change logs and justification for changes are not maintained.
V-13038 Medium Operating procedures do not require that DNS configuration, keys, zones, and resource record data are backed up on any day on which there are changes.
V-13046 Low The DNS database administrator has not documented the owner of each zone (or group of related records) and the date the zone was created, last modified, or verified. This documentation will preferably reside in the zone file itself through comments, but if this is not feasible, the DNS database administrator will maintain a separate database for this purpose.
V-13045 Low Private IP space is used within an Enclave without the use of split DNS to prevent private IPs from leaking into the public DNS system.
V-13037 Low A patch and DNS software upgrade log; to include the identity of the administrator, date and time each patch or upgrade was implemented, is not maintained.
V-13036 Low A list of personnel authorized to administer each zone and name server is not maintained.
V-13050 Low The DNS architecture is not documented to include specific roles for each DNS server, the security controls in place, and what networks are able to query each server.
V-13053 Low The contents of zones are not reviewed at least annually.
V-13052 Low The SA has not subscribed to ISC's mailing list "bind announce" for updates on vulnerabilities and software notifications.