Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-13042 | DNS0200 | SV-13610r1_rule | CODB-2 CODB-3 | High |
Description |
---|
A critical component of securing an information system is ensuring its availability. The best way to ensure availability is to eliminate any single point of failure in the system itself and in the network architecture that supports it. Fortunately, the inherent design of DNS supports a high-availability environment. Master and slave servers regularly communicate zone information, so if any name server is disabled at any time, another can immediately provide the same service. The task for the network architect is to ensure that a disaster or outage cannot simultaneously impact both the master and all of its slave servers. If a disaster occurs, the DNS protocols cannot prevent total loss of name resolution services for hosts within affected zones. |
STIG | Date |
---|---|
DNS Policy | 2015-12-29 |
Check Text ( C-3424r1_chk ) |
---|
Using the name server configuration files, identify any zone that does not have a slave. An authoritative server for each zone must have a slave name server. If this is not the case, this is a finding. If the slave server does not reside on a separate host, this is a finding. *Note: If the the zones records are on one subnet a single nameserver is required. Windows (with Active Directory) For servers integrated with Active Directory, verify there are other domain controllers that can take over as Domain naming operations master. Open the Active Users and Computer snap in console under the Administrative tools menu. Expand the active directory domain and then expand the domain controllers folder. Ensure there are multiple domain controllers available within the domain. BIND Examine each zone file and check the NS records. There should be multiple records for the same domain with different servers authoritative for the zone. The path to the zone file can be found by examining the named.conf. |
Fix Text (F-4347r1_fix) |
---|
The IAO must work with appropriate personnel to obtain and configure another name server to act as a slave to the server hosting this zone. |