The DNS implementation must disable use of non-secure protocols.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33961	SRG-NET-000067-DNS-000033	SV-44414r1_rule		Medium

Description
In this context an unsecure protocol is one that has not been evaluated and accepted for use as per the Ports, Protocols, and Services Category Assignments List (CAL) from DISA (PPSM). Disabling the use of non-secure protocols is essential to protect the DNS implementation and architecture. If a non-secure protocol is used, it could potentially provide an exploitable path into the DNS infrastructure. As the DNS systems maintain a mapping of IP addresses to host names, this could provide valuable information to an attacker if accessed.

Description

In this context an unsecure protocol is one that has not been evaluated and accepted for use as per the Ports, Protocols, and Services Category Assignments List (CAL) from DISA (PPSM). Disabling the use of non-secure protocols is essential to protect the DNS implementation and architecture. If a non-secure protocol is used, it could potentially provide an exploitable path into the DNS infrastructure. As the DNS systems maintain a mapping of IP addresses to host names, this could provide valuable information to an attacker if accessed.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-41971r1_chk )
Review the DNS system against the most recent Ports, Protocols, and Services Category Assignments List (CAL) from DISA (PPSM), as well as vendor documentation and operating system guidance, to determine if non-secure protocols are installed and listening on the DNS system. If non-secure protocols are in use, this is a finding.

Fix Text (F-37875r1_fix)
Configure the DNS system to ensure the name server software utilizes only secure ports and protocols required for operation which have been accepted for use as per the Ports, Protocols, and Services Category Assignments List (CAL) from DISA (PPSM)..