UCF STIG Viewer Logo

The contents of zones are not reviewed at least annually.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13053 DNS0185 SV-13621r1_rule ECSC-1 Low
Description
DNS administrators must review the contents of their zones at least as often as annually for content or aggregation of content that may provide an adversary information that can potentially compromise operational security. This specifically includes names that provide an outsider some indication as to the function of the referenced system unless the function is obvious in the context of other standard DNS information (e.g., naming a DNS server as dns.zone.mil or an SMTP mail server as mail.zone.mil is not an OPSEC violation given that the functions of these servers are easily identifiable during DNS queries). The DNS administrator is the final adjudicator of the sensitivity of DNS information, in concert with the OPSEC processes of the organization, but should make a conscious decision to include such information based on operational need. NIST guidance includes specific guidelines that HINFO, RP and LOC records not be included in the zone.
STIG Date
DNS Policy 2015-12-29

Details

Check Text ( C-9298r1_chk )
Interview the DNS administrator and ask if there is a procedure in place to review and validate the contents of the zones he/she is responsible for, at least annually.
Fix Text (F-12295r1_fix)
The IAO will ensure the DNS administrator reviews the contents of the zones they are responsible for, at least annually.