The DNS implementation must limit the number of concurrent sessions for each system account which for DNS consist of zone transfers and client connections to an organization defined number.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33943	SRG-NET-000053-DNS-000030	SV-44396r1_rule		Low

Description
Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) to the DNS implementation. Limiting the number of zone transfer sessions reduces the likelihood of DoS from overburdening the system. Zone transfers must be restricted from primary to secondary name servers and must be limited to a very small subset of systems. Because zone transfers involve the transfer of entire zones and use TCP connections, they place substantial demands on network resources relative to normal DNS queries. Errant or malicious frequent zone transfer requests on the name servers of the enterprise can overload the master zone server and result in DoS to legitimate users. Additionally the number of concurrent clients, especially TCP clients, needs to be kept to a level that does not risk placing the system in a DoS state.

Description

Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) to the DNS implementation. Limiting the number of zone transfer sessions reduces the likelihood of DoS from overburdening the system. Zone transfers must be restricted from primary to secondary name servers and must be limited to a very small subset of systems. Because zone transfers involve the transfer of entire zones and use TCP connections, they place substantial demands on network resources relative to normal DNS queries. Errant or malicious frequent zone transfer requests on the name servers of the enterprise can overload the master zone server and result in DoS to legitimate users. Additionally the number of concurrent clients, especially TCP clients, needs to be kept to a level that does not risk placing the system in a DoS state.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-41952r1_chk )
Review the DNS server configuration and ensure there is a limit on the number of concurrent sessions, include zone transfers and clients. If the number of sessions is not limited, either explicitly or through the use of the implementation defined default value, this is a finding. Zone transfers must be disabled in the secondary name servers and the statements in the primary name server configuration file must list the IP addresses of the secondary servers that are allowed to perform zone transfers with the primary.

Check Text ( C-41952r1_chk )

Review the DNS server configuration and ensure there is a limit on the number of concurrent sessions, include zone transfers and clients. If the number of sessions is not limited, either explicitly or through the use of the implementation defined default value, this is a finding.

Zone transfers must be disabled in the secondary name servers and the statements in the primary name server configuration file must list the IP addresses of the secondary servers that are allowed to perform zone transfers with the primary.

Fix Text (F-37856r1_fix)
Configure the DNS primary server to allow TCP connections for zone transfers only from a predefined list of secondary servers. Disable zone transfers to secondary servers. Limit the number of concurrent clients allowed on a server (recursive-clients).