UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must be configured to use cryptography to protect the integrity of remote access sessions such as zone transfers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33957 SRG-NET-000063-DNS-000032 SV-44410r1_rule Medium
Description
Zone transfer encryption is critical for the protection of the zone data. If the zone data is not protected for integrity, malicious users may gain the ability to modify the network resources. Remote access in this scenario is such that zone transfers to a system may be required for external DNS server transfers and the traffic will ingress to the infrastructure and need to be secured using cryptography to protect the transfer of data for sessions. Zone transfer encryption is critical for the protection of the zone data. The use of cryptography for integrity of zone transfers and dynamic updates is accomplished through the use of shared secrets and public key to provide signature and hashing of DNS messages. DNS provides authentication and integrity through signatures but does not provide encryption. DNS by design uses unencrypted data. This feature must be provided through third party hardware/software and is only applicable to EXTERNAL zone transfers. Virtual Private Networks are not considered external networks (per AC-17).
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-41967r1_chk )
Review the DNS server configuration to determine which servers may need to perform a zone transfer. Determine if cryptography is implemented for all zone transfer sessions.

If DNS does not utilize a Transaction Signature (TSIG) to protect the integrity of the zone transfer session, this is a finding.
Fix Text (F-37871r1_fix)
Configure the DNS server to ensure zone transfers integrity through the use of shared secret and public keys.