The DNS implementation must reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33988 | SRG-NET-000087-DNS-000046 | SV-44441r1_rule | Medium |
| Description |
|---|
| It is critical when a system is at risk of failing to process audit logs, as required, actions are automatically taken to mitigate the failure or risk of failure. One method used by attackers is to thwart the auditing system by attempting to overwhelm the auditing system with large amounts of irrelevant data. The end result being audit logs that are either overwritten and activity thereby erased, or disk space that is exhausted and any future activity is no longer logged. If the system configuration does not allocate the auditing system to separate disk space, this may result in a system outage creating a denial of service to the network services utilizing the DNS. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-41992r1_chk ) |
|---|
| Review the DNS system configuration to determine if network traffic generated above organization defined traffic volume thresholds is rejected or delayed. If the DNS system does not reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization, this is a finding. |
| Fix Text (F-37903r1_fix) |
|---|
| Configure the DNS system to reject or delay network traffic generated above configurable organization defined traffic volume thresholds. |