The DNS implementation must use approved cryptography to protect the confidentiality of remote access sessions such as zone transfers.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33956 | SRG-NET-000062-DNS-000031 | SV-44409r1_rule | Medium |
| Description |
|---|
| Zone transfer encryption is critical for the protection of the zone data. If the zone data is not protected for confidentiality, malicious users may gain the ability to map the network resources. Remote access in this scenario is such that zone transfers to a system may be required for external DNS server transfers and the traffic will ingress to the infrastructure and need to be secured using cryptography to protect the transfer of data for sessions. Zone transfer encryption is critical for the protection of the zone data. (Note: DNSSEC provides authentication and integrity through signatures and hashes but does not provide encryption. DNS by design uses unencrypted data. This feature must be provided through third party hardware/software and is only applicable to EXTERNAL zone transfers. Virtual Private Networks are not considered external networks (per AC-17)). |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-41966r1_chk ) |
|---|
| Review the DNS server configuration to determine which servers may need to perform an external zone transfer. Ensure any cryptographic implementation to secure the confidentiality of the zone transfer sessions uses NIST validated algorithms currently approved for use. If the encryption algorithm is not approved or validated, this is a finding. |
| Fix Text (F-37870r1_fix) |
|---|
| Configure the DNS server to ensure zone transfers are utilizing currently approved FIPS 140-2 validated modules and algorithms to transfer all zone data. |