| V-13042 | High | An authoritative master name server does not have at least one and preferably two or more active slave servers for each of its zones. The slave server does not reside on a separate host. | A critical component of securing an information system is ensuring its availability. The best way to ensure availability is to eliminate any single point of failure in the system itself and in... |
| V-13043 | High | Name servers authoritative for a zone are not located on separate network segments if the host records described in the zone are themselves located across more than one network segment. | A critical component of securing an information system is ensuring its availability. The best way to ensure availability is to eliminate any single point of failure in the system itself and in... |
| V-14763 | High | The name server software on production name servers is not BIND, Windows 2003 or later DNS, or alternatives with equivalent vendor support, configured in a manner to satisfy the general security requirements listed in the STIG. The only currently approved alternative is CISCO CSS DNS. | If an organization runs DNS name server software other than BIND, Windows 2003 DNS or later, or an equivalent alternative, it cannot benefit from assurance testing of those implementations of DNS.... |
| V-13051 | High | The DNS server software is either installed on or enabled on an operating system that is no longer supported by the vendor. | |
| V-4027 | Medium | Servers do not employ Host Based Intrusion Detection (HIDS). | Servers without a HID may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the device. In order to ensure that an... |
| V-13047 | Medium | The name server software on production name servers is not BIND, Windows 2003 or later DNS, or alternatives with equivalent security functionality and support, configured in a manner to satisfy the general security requirements listed in the STIG. | If an organization runs DNS name server software other than BIND, Windows 2003 DNS or later, or an equivalent alternative, such as Infoblox running BIND; it cannot benefit from assurance testing... |
| V-13044 | Medium | A zone includes hosts located in more than one building or site, yet at least one of the authoritative name servers supporting the zone is not as geographically and topologically distributed as the most remote host.
| When authoritative name servers are co-located in the same facility, the loss of the facility likely leads to the loss of access to all servers defined in their zones (i.e., nobody can resolve... |
| V-13040 | Medium | Written procedures for the replacement of cryptographic keys used to secure DNS transactions does not exist. | Without adequate TSIG supersession procedures, there is the potential that an unauthorized person may be able to compromise the key. Once in possession of the key, that individual might be able... |
| V-13041 | Medium | The IAO has not established written procedures for the process of updating zone records, who is authorized to submit and approve update requests, how the DNS administrator verifies the identity of the person from whom he/she received the request, and how the DNS administrator documents any changes made. | If the procedures for updating zone records are inadequate, then this increases the probability that adversary perhaps even an insider will be able to modify the DNS records using weaknesses in... |
| V-13048 | Medium | Hosts outside an enclave can directly query or request a zone transfer from a name server that resides on the internal network (i.e., not in a DMZ). | If external hosts are able to query a name server on the internal network, then there is the potential that an external adversary can obtain information about internal hosts that could assist the... |
| V-13314 | Medium | A zone or name server does not have a backup administrator. | If there is no backup DNS administrator, then there is nobody to assist during a security emergency when the primary administrator is unavailable. In some cases, a backup administrator can also... |
| V-13313 | Medium | The underlying operating system of the DNS server is not in compliance with the appropriate OS STIG. | A vulnerability in the underlying operating system of a DNS server could potentially impact not only the DNS server but the entire network infrastructure to include the Global Information Grid (GIG). |
| V-13032 | Medium | A name server is not protected by equivalent or better physical access controls than the clients it supports. | If an adversary can compromise a name server, then the adversary can redirect most network traffic sent to the hosts defined on that name server. Therefore, the security of the name server is as... |
| V-13035 | Medium | DNS logs are not reviewed daily or a real-time log analysis or network management tool is not employed to immediately alert an administrator of critical DNS system messages. | If a responsible administrator does not review DNS logs daily, then there is the potential that an attack or other security issue can go unnoticed for a day or more, which is unacceptable in DOD... |
| V-13034 | Medium | The DNS log archival requirements do not meet or exceed the log archival requirements of the operating system on which the DNS software resides. | Name servers are dedicated to the DNS function and, as a result, the most critical security and operations events on those name servers will appear in the DNS logs. Different sites may have... |
| V-13039 | Medium | Configuration change logs and justification for changes are not maintained. | If changes are made to the configuration without documentation, it is often difficult to determine the root cause of an operational problem or understand the circumstances in which a security... |
| V-13038 | Medium | Operating procedures do not require that DNS configuration, keys, zones, and resource record data are backed up on any day on which there are changes. | If a name servers configuration, keys, zones, and resource record information is not backed up on any day in which there are changes, there is a risk that an organization cannot quickly recover... |
| V-13046 | Low | The DNS database administrator has not documented the owner of each zone (or group of related records) and the date the zone was created, last modified, or verified. This documentation will preferably reside in the zone file itself through comments, but if this is not feasible, the DNS database administrator will maintain a separate database for this purpose. | A zone file should contain adequate documentation that would allow an IAO or newly assigned administrator to quickly learn the scope and structure of that zone. In particular, each record (or... |
| V-13045 | Low | Private IP space is used within an Enclave without the use of split DNS to prevent private IPs from leaking into the public DNS system. | DNS operators should assume that any data placed in the DNS would be available to anyone connected to the Internet. Split DNS shall not be considered a mitigating factor or technique to deny DNS... |
| V-13037 | Low | A patch and DNS software upgrade log; to include the identity of the administrator, date and time each patch or upgrade was implemented, is not maintained. | DNS software has a history of vulnerabilities and new ones may be discovered at any time. To ensure that attackers cannot take advantage of known DNS vulnerabilities applicable software patches... |
| V-13036 | Low | A list of personnel authorized to administer each zone and name server is not maintained. | If an organization does not document who is responsible for the DNS function, then there is a significant potential that unauthorized individuals will obtain privileged access to name servers. ... |
| V-13050 | Low | The DNS architecture is not documented to include specific roles for each DNS server, the security controls in place, and what networks are able to query each server. | Without current and accurate documentation, any changes to the network infrastructure may
jeopardize the network’s integrity. To assist in the management, auditing, and security of the
network,... |
| V-13053 | Low | The contents of zones are not reviewed at least annually. | DNS administrators must review the contents of their zones at least as often as annually for content or aggregation of content that may provide an adversary information that can potentially... |
| V-13052 | Low | The SA has not subscribed to ISC's mailing list "bind announce" for updates on vulnerabilities and software notifications. | Whether running the latest version or software or an earlier version, the administrator should be aware of the vulnerabilities, exploits, security fixes, and patches for the version that is in... |
