The DNS implementation must protect against or limits the effects of Denial of Service (DoS) attacks.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34140	SRG-NET-000191-DNS-000117	SV-44593r1_rule		Medium

Description
A denial of service (DoS) attack against the DNS infrastructure has the potential to cause a denial of service to all network users. As the DNS is a distributed backbone service of the Internet, various forms of attacks resulting in DoS, are still prevalent on the Internet today. Without the DNS, users and systems would not have the ability to perform simple name to IP resolution. Configuring the DNS server to defend against cache poisoning, employing increased capacity and bandwidth, building redundancy into the DNS architecture, the use of ""authoritative-only"" name servers, limiting and securing recursive services and TCP concurrent clients, etc., may reduce the susceptibility to some DoS attacks.

Description

A denial of service (DoS) attack against the DNS infrastructure has the potential to cause a denial of service to all network users. As the DNS is a distributed backbone service of the Internet, various forms of attacks resulting in DoS, are still prevalent on the Internet today. Without the DNS, users and systems would not have the ability to perform simple name to IP resolution. Configuring the DNS server to defend against cache poisoning, employing increased capacity and bandwidth, building redundancy into the DNS architecture, the use of ""authoritative-only"" name servers, limiting and securing recursive services and TCP concurrent clients, etc., may reduce the susceptibility to some DoS attacks.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42100r1_chk )
Review the DNS server to determine if it is configured to protect against and limit the effects of DoS attacks. If the DNS is not configured to limit DoS attacks, this is a finding.

Fix Text (F-38050r1_fix)
Configure the DNS server to protect against or limit the effects of DoS attacks.