Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-13053 | DNS0185 | SV-13621r1_rule | Low |
Description |
---|
DNS administrators must review the contents of their zones at least as often as annually for content or aggregation of content that may provide an adversary information that can potentially compromise operational security. This specifically includes names that provide an outsider some indication as to the function of the referenced system unless the function is obvious in the context of other standard DNS information (e.g., naming a DNS server as dns.zone.mil or an SMTP mail server as mail.zone.mil is not an OPSEC violation given that the functions of these servers are easily identifiable during DNS queries). The DNS administrator is the final adjudicator of the sensitivity of DNS information, in concert with the OPSEC processes of the organization, but should make a conscious decision to include such information based on operational need. NIST guidance includes specific guidelines that HINFO, RP and LOC records not be included in the zone. |
STIG | Date |
---|---|
DNS Policy Security Technical Implementation Guide | 2017-10-02 |
Check Text ( C-9298r1_chk ) |
---|
Interview the DNS administrator and ask if there is a procedure in place to review and validate the contents of the zones he/she is responsible for, at least annually. |
Fix Text (F-12295r1_fix) |
---|
The IAO will ensure the DNS administrator reviews the contents of the zones they are responsible for, at least annually. |