The DNS implementation must implement non-discretionary access control policies over privileged level users and resources to protect the DNS database or zone files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33855	SRG-NET-000017-DNS-000017	SV-44308r1_rule		Medium

Description
The primary objective of DNS authentication and access control is the integrity of DNS records; only authorized personnel must be able create and modify resource records, and name servers should only accept updates from authoritative master servers for the relevant zones. Integrity is best assured through authentication and access control features within the name server software, though firewalls also play a significant role in controlling DNS transactions on a network. In order to protect the zone files themselves, which should only be accessed by the name service or an administrator, access controls need to be implemented on files. In DNS there are numerous access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) that are employed to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains). Access controls provide protection to the data and resources of the DNS. If an adversary is able to obtain or change a zone file, the DNS infrastructure is potentially at risk of failure or denial of service. DNS must enforce these non-discretionary access control policies over the DNS database or zone files to ensure data protection and integrity of the zone data.

Description

The primary objective of DNS authentication and access control is the integrity of DNS records; only authorized personnel must be able create and modify resource records, and name servers should only accept updates from authoritative master servers for the relevant zones. Integrity is best assured through authentication and access control features within the name server software, though firewalls also play a significant role in controlling DNS transactions on a network. In order to protect the zone files themselves, which should only be accessed by the name service or an administrator, access controls need to be implemented on files. In DNS there are numerous access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) that are employed to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains). Access controls provide protection to the data and resources of the DNS. If an adversary is able to obtain or change a zone file, the DNS infrastructure is potentially at risk of failure or denial of service. DNS must enforce these non-discretionary access control policies over the DNS database or zone files to ensure data protection and integrity of the zone data.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-41911r1_chk )
Review the DNS system configuration to determine if non-discretionary access controls are in place to restrict access to the name server DNS database or zone files within the DNS implementation. If non-discretionary access controls are not in place to protect the zone database files of the DNS server, this is a finding.

Fix Text (F-37785r1_fix)
Configure the DNS system to restrict, via non-discretionary access controls, access to the DNS server DNS database or zone files.