UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must use approved cryptography to protect the confidentiality of remote access sessions such as zone transfers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33956 SRG-NET-000062-DNS-000031 SV-44409r1_rule Medium
Description
Zone transfer encryption is critical for the protection of the zone data. If the zone data is not protected for confidentiality, malicious users may gain the ability to map the network resources. Remote access in this scenario is such that zone transfers to a system may be required for external DNS server transfers and the traffic will ingress to the infrastructure and need to be secured using cryptography to protect the transfer of data for sessions. Zone transfer encryption is critical for the protection of the zone data. (Note: DNSSEC provides authentication and integrity through signatures and hashes but does not provide encryption. DNS by design uses unencrypted data. This feature must be provided through third party hardware/software and is only applicable to EXTERNAL zone transfers. Virtual Private Networks are not considered external networks (per AC-17)).
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-41966r1_chk )
Review the DNS server configuration to determine which servers may need to perform an external zone transfer.

Ensure any cryptographic implementation to secure the confidentiality of the zone transfer sessions uses NIST validated algorithms currently approved for use.

If the encryption algorithm is not approved or validated, this is a finding.
Fix Text (F-37870r1_fix)
Configure the DNS server to ensure zone transfers are utilizing currently approved FIPS 140-2 validated modules and algorithms to transfer all zone data.