The DNS implementation must be configured to use cryptography to protect the integrity of remote access sessions such as zone transfers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33957	SRG-NET-000063-DNS-000032	SV-44410r1_rule		Medium

Description
Zone transfer encryption is critical for the protection of the zone data. If the zone data is not protected for integrity, malicious users may gain the ability to modify the network resources. Remote access in this scenario is such that zone transfers to a system may be required for external DNS server transfers and the traffic will ingress to the infrastructure and need to be secured using cryptography to protect the transfer of data for sessions. Zone transfer encryption is critical for the protection of the zone data. The use of cryptography for integrity of zone transfers and dynamic updates is accomplished through the use of shared secrets and public key to provide signature and hashing of DNS messages. DNS provides authentication and integrity through signatures but does not provide encryption. DNS by design uses unencrypted data. This feature must be provided through third party hardware/software and is only applicable to EXTERNAL zone transfers. Virtual Private Networks are not considered external networks (per AC-17).

Description

Zone transfer encryption is critical for the protection of the zone data. If the zone data is not protected for integrity, malicious users may gain the ability to modify the network resources. Remote access in this scenario is such that zone transfers to a system may be required for external DNS server transfers and the traffic will ingress to the infrastructure and need to be secured using cryptography to protect the transfer of data for sessions. Zone transfer encryption is critical for the protection of the zone data. The use of cryptography for integrity of zone transfers and dynamic updates is accomplished through the use of shared secrets and public key to provide signature and hashing of DNS messages. DNS provides authentication and integrity through signatures but does not provide encryption. DNS by design uses unencrypted data. This feature must be provided through third party hardware/software and is only applicable to EXTERNAL zone transfers. Virtual Private Networks are not considered external networks (per AC-17).

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-41967r1_chk )
Review the DNS server configuration to determine which servers may need to perform a zone transfer. Determine if cryptography is implemented for all zone transfer sessions. If DNS does not utilize a Transaction Signature (TSIG) to protect the integrity of the zone transfer session, this is a finding.

Fix Text (F-37871r1_fix)
Configure the DNS server to ensure zone transfers integrity through the use of shared secret and public keys.