The DNS implementation must be configured to enable automated mechanisms to enforce access restrictions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34062 | SRG-NET-000119-DNS-000071 | SV-44515r1_rule | Medium |
| Description |
|---|
| Any changes to the hardware, software, and/or firmware components of the DNS implementation can potentially have significant effects on the overall security of the system. Therefore, only qualified and authorized individuals should be allowed to obtain access to the DNS system components for the purposes of implementing any changes or upgrades. Auditing this information is critical to both the configuration management process and in the event of an intrusion. A system must be configured to enforce certain access restrictions, and those enforcement actions need to be logged as part of the audit process. In some cases it is possible for firmware modifications to be performed without authorization. Because of this physical access to the DNS system must be enforced. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-42028r1_chk ) |
|---|
| Verify the DNS server is in an access controlled location. Review the DNS system configuration settings to verify automated mechanisms are in place to enforce access restrictions. If the DNS implementation is not in an access controlled location or does not have automated mechanisms in place to enforce access restrictions, this is a finding. |
| Fix Text (F-37976r1_fix) |
|---|
| Locate the DNS server in an access controlled area and configure it to automatically enforce access restrictions. |