The DNS implementation must not have unnecessary services and capabilities enabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34074 | SRG-NET-000131-DNS-000075 | SV-44527r1_rule | Medium |
| Description |
|---|
| Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support the essential organizational operations of the information system. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. The DNS applications must adhere to the principles of least functionality by providing only essential capabilities to run the DNS application. Allowing for other processes and services to run within a DNS implementation increases the risk to the platform as additional services and capabilities provide additional avenues for attack. Security related services specifically required by applicable DISA STIGS should be considered as essential applications and should not be disabled. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-42040r1_chk ) |
|---|
| Review the DNS configuration to determine if services or capabilities are present on the system that are not required for operational or mission need. DNS must be a dedicated service, i.e., it cannot coexist with any other network function, such as a firewall or DHCP service on the same platform. If additional services or capabilities are present on the system, this is a finding. |
| Fix Text (F-37988r1_fix) |
|---|
| Configure the DNS server to run in a dedicated environment for DNS functionality only. Remove or delete additional services or capabilities present on the system that are not needed by the DNS implementation. |